Have I misunderstood an ipchains concept?

To: debian-security@lists.debian.org
Subject: Have I misunderstood an ipchains concept?
From: Christian Pernegger <pernegger@chello.at>
Date: Thu, 21 Sep 2000 02:38:09 +0200
Message-id: <[🔎] 20000921023809.A4870@southpark.chp>

I have the following lines (inspired by Robert Ziegler's Linux firewalls book)
in my firewall script:

ipchains -A input -i $IF_EXT -s $ME_EXT -j DENY -l
ipchains -A input -i $IF_EXT -s $ME_INT -j DENY -l
ipchains -A input -i $IF_INT -s $ME_EXT -j DENY -l
ipchains -A input -i $IF_INT -s $ME_INT -j DENY -l

He says in the book that one will never see a legit packet coming in over a NIC
from one's own address, for packets destined to a "local" address are delivered
via the LO interface.

I think that's what it says in ipfw_chains(4). To quote:

 Input firewall
              These  rules regulate the acceptance of incoming IP
              packets.  All packets coming  in  via  one  of  the
              local  network  interfaces  are checked against the
              input firewall rules (locally-generate packets  are
              considered to come from the loopback interface).

Yet if I broadcast anything from the FW machine to any of the attached networks,
the packet destined to the machine itself comes in over eth?, not over lo and
is thus denied...

Maybe someone could explain this to me or give me some pointers?

Thanks

Christian

Reply to:

Follow-Ups:
- Re: Have I misunderstood an ipchains concept?
  - From: "KL Davis" <info@nanux.com>
- Re: Have I misunderstood an ipchains concept?
  - From: ferret@phonewave.net

Prev by Date: Re: [SECURITY] New versions of sysklogd released
Next by Date: Re: Have I misunderstood an ipchains concept?
Previous by thread: Re: [SECURITY] New versions of sysklogd released
Next by thread: Re: Have I misunderstood an ipchains concept?
Index(es):
- Date
- Thread