[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables-save/restore with dynamic IP

martin f krafft wrote:
also sprach Martin G.H. Minkler <dukeofnukem@gmx.net> [2004.10.21.1345 +0200]:

Although it is hardly imaginable that someone <tm> manages to
spoof the interface match, I wanted my rules as tight as possible
thus using interface _and_ DynIP ('$IPTABLES -A INPUT -p tcp -d
$IP_INET -i $DEV_INET -m state --state NEW -j BLACKLIST')- it
would naturally all be solved if I refrained from using variables
and resorted to -i ppp0 instead.

Why do you want your rules to be as tight as possible? While
I fundamentally agree with this approach, I don't really see an
added value for limiting the destination address.

The basic idea was to double-latch things, if one criterium could be spoofed the other would still hold. When it comes to a pppoe connection the single IP and gateway provided by the ISP certainly limit the probability of any of that happening, on the other hand I have seen bad setups in which a LAN and a gateway with just one NIC were sharing a switch - filtering $DEV_INET would mean filtering $DEV_LAN at the same time. Well, looks like I still have to think up a situation where this rule would provide any additional protection though ;-)

You do know that there are plenty firewall scripts for iptables
already, right?

Sure, I just like fiddling with things under the hood, messing them up and putting them back together ;-) IMHO with a bit of knowledge it is sometimes much easier to quickly act upon tsunamis of worms sweeping through a LAN from a few infected M$-boxes. Dropping their MAC-adresses so they can't bug the outside world is often more a question of speed than comfortable configuration (and eventually necessary stop/start steps).

For quick and easy setups I enjoy shorewall very much.

best regards


Reply to: