[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Have I misunderstood an ipchains concept?

> -----Original Message-----
> From: David Wright [mailto:d.wright@open.ac.uk]
> Sent: Monday, September 25, 2000 5:41 PM
> To: Noah L. Meyerhans
> Cc: Christian Pernegger; debian-security@lists.debian.org
> Subject: Re: Have I misunderstood an ipchains concept?
> Quoting Noah L. Meyerhans (frodo@morgul.net):
> > On Thu, 21 Sep 2000, Christian Pernegger wrote:
> >
> > > > What they are saying is that a machine *should* never
> recieve a packet that
> > > > has originated from outside the machine, yet claims (by way
> of the source
> > > > IP) to have originated from that machine?
> > >
> > > Exactly. A packet arriving on an eth interface comes from outside.
> > > I always thought that a packet destined to the host itself would
> > > arrive on the loopback interface, no matter what.
> >
> > Volume 1 of Rich Stevens' TCP/IP Illustrated indicates that
> your thinking
> > is correct.  It's in section 2.7, where the book discusses the loopback
> > interface.  I'll quote from the book for bit here:
> > ___
> > Datagrams sent to a broadcast address or a multicast addresss are copied
> > to the loopback interface and sent out on the Ethernet.  This is because
> > the definition of broadcasting and multicasting includes the
> sending host.
> > - ---
> >
> > So, were we to take the Stevens book as gospel, then it seems like Linux
> > is doing something wrong here.
> Surely a bit early to say that. If this is a fault in the Linux kernel
> (which one, by the way?), it ought to be replicatable on other systems.
> The original posting had "eth?". What are these cards connected to?

The complete scenario:

The Linux box runs potato
Linux jesus 2.2.17 #2 SMP Mon Sep 4 18:40:42 CEST 2000 i686 unknown
The /boot/config-2.2.17 file is attached.

The NICs are all 3C905Cs using 3Com's own module (under Linux.)

D-Link DES-1008 switch <===> eth0 (jesus)
                         |=> WinNT4sp6a box (kenny)
                         |=> Win98SE box (ike)

My ISP's cablemodem    <---> eth1

'=' is 100mbit, '-' is 10mbit, all cables category 5 twisted pair.

What I did was, I used

	smblient -M ike <"MESSAGE"

in a script to notify ike of UPS events. While testing that I noticed that
each call triggers the first but not the second rule, when smbclient
broadcasts on all interfaces to find ike:

	ipchains -A input -i $IF_INT -s $ME_INT -j DENY -l
	ipchains -A input -i $IF_EXT -s $ME_EXT -j DENY -l

Log entry:

	Packet log: input DENY eth0 PROTO=17 \ L=78 S=0x00 I=44279 F=0x0000 T=64 (#5)

> It should be relatively easy to make a packet broadcast from a host
> arrive back at that host. For example, a mis-configured router, a
> missing termination, ...

One of the hosts could be misconfigured, of course.

You seemed intrested, sorry if that was too much information. I'd really
like to know what causes this.


Attachment: config-2.2.17.gz
Description: GNU Zip compressed data

Reply to: