[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Have I misunderstood an ipchains concept?

I have the following lines (inspired by Robert Ziegler's Linux firewalls book)
in my firewall script:

ipchains -A input -i $IF_EXT -s $ME_EXT -j DENY -l
ipchains -A input -i $IF_EXT -s $ME_INT -j DENY -l
ipchains -A input -i $IF_INT -s $ME_EXT -j DENY -l
ipchains -A input -i $IF_INT -s $ME_INT -j DENY -l

He says in the book that one will never see a legit packet coming in over a NIC
from one's own address, for packets destined to a "local" address are delivered
via the LO interface.

I think that's what it says in ipfw_chains(4). To quote:

 Input firewall
              These  rules regulate the acceptance of incoming IP
              packets.  All packets coming  in  via  one  of  the
              local  network  interfaces  are checked against the
              input firewall rules (locally-generate packets  are
              considered to come from the loopback interface).

Yet if I broadcast anything from the FW machine to any of the attached networks,
the packet destined to the machine itself comes in over eth?, not over lo and
is thus denied...

Maybe someone could explain this to me or give me some pointers?



Reply to: