[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: Can a daemon listen only on some interfaces?

On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
> With ipchains you can make the following:
> ipchains -A input -i ! eth1 -d -j DENY

What this says is: all packets with destination must not
have come from eth1 or they will be denied.

Why do you choose to specify the rule this way and not like this:
ipchains -A input -i eth0 ! -d -j DENY
In other words: all packets coming from eth0 must have destination or they will be denied?

Please explain.  Is it because you may later want to put your ethernet
card into promiscuous mode and thus receive packets with any destination
as if they were for you?  My rule above would prevent this whereas your
rule would not.  Both rules would prevent the attacker trying to
circumvent the sshd bound IP address restriction however.

Can you explain why you choose your rule.


Attachment: pgpyI1SrUVQQY.pgp
Description: PGP signature

Reply to: