[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Resolved: locking oneself out, unroutable addresses

On Sat, Jan 28, 2006 at 06:25:05PM +1100, Daniel Pittman wrote:
> gcrimp@vcn.bc.ca writes:
> > On Mon, Jan 23, 2006 at 04:06:26PM +1100, Daniel Pittman wrote:

[snip]

> > I have had a reply from the writer of the quote.  The situation he
> > described was not a result of iptables alone.  But, with remote
> > (login) authentication, if the ip packets are not getting through as a
> > result of an iptables rule, one is effectively locked out.  
[snip]

> > Sorry if this is not entirely accurate.  Any inaccuracies in this
> > description are entirely my own.
> 
> I think the original could do with being expanded, because this is a
> non-trivial issue, and one that (obviously) it is quite possible to
> overlook when you think about firewall risks.

You're right.  I think I'll suggest a change to the author of the Securing
Debian howto.  The original doc is no longer an issue.  The quote came from
/usr/share/doc/iptables/README.Debian in woody (well, at least, it was
present in woody.  It may have originated earlier than that), but the same
file had been completely changed in sarge.  The quote is no longer there.

[snip]
> > So, can anyone suggest what I should do with packets that have a
> > source address of 0.0.0.0?
> 
> Junk them -- they have no real business on your network, as 0.0.0.0
> isn't a valid assigned address on the live Internet.
> 
> In the extremely unlikely event that it actually pops up in your logs as
> blocked, work out why and tell us (well, me, anyway) what generated
> 'em. :)

'K:)

gc
Reply to: