[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: Can a daemon listen only on some interfaces?



On Mon, 2001-12-10 at 08:19, mdevin wrote:
> On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
> > With ipchains you can make the following:
> > 
> > ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY
> 
> What this says is: all packets with destination 192.168.0.1 must not
> have come from eth1 or they will be denied.
> 
> Why do you choose to specify the rule this way and not like this:
> ipchains -A input -i eth0 ! -d 192.168.0.1 -j DENY
> In other words: all packets coming from eth0 must have destination
> 192.168.0.1 or they will be denied?

I'm not the original author, but I use ! <interface> too.

Using ! <destination> would break ip forwarding.  If your box is a
gateway/router/firewall, it will drop all packets not destined for
192.168.0.1 (itself).
> 
> Please explain.  Is it because you may later want to put your ethernet
> card into promiscuous mode and thus receive packets with any destination
> as if they were for you?  My rule above would prevent this whereas your
> rule would not.  Both rules would prevent the attacker trying to
> circumvent the sshd bound IP address restriction however.
> 
> Can you explain why you choose your rule.
> 
> Cheers.
> Mark.
-- 
Berend De Schouwer



Reply to: