Re: Fw: Can a daemon listen only on some interfaces?

To: mdevin <mdevin@ozemail.com.au>
Cc: debian-security@lists.debian.org
Subject: Re: Fw: Can a daemon listen only on some interfaces?
From: Berend De Schouwer <bds@jhb.ucs.co.za>
Date: 10 Dec 2001 09:31:09 +0200
Message-id: <[🔎] 1007969470.974.2.camel@bds.ucs.co.za>
In-reply-to: <[🔎] 20011210161957.A3525@flea.home>
References: <[🔎] 001901c18024$8a7e5e40$0300000a@Oneil> <[🔎] E16CqPn-00087i-00@debian.dyndns.org> <[🔎] 20011209121208.A977@flea.home> <[🔎] E16D3mj-0005dr-00@debian.dyndns.org> <[🔎] 002501c180d9$37b2ae40$0300000a@Oneil> <[🔎] 86adwsjn6w.fsf@potato.vegetable.org.uk> <[🔎] E16D8xU-0007vy-00@debian.dyndns.org> <[🔎] 20011210102637.B1171@flea.home> <[🔎] E16DEeC-000294-00@debian.dyndns.org> <[🔎] 20011210161957.A3525@flea.home>

On Mon, 2001-12-10 at 08:19, mdevin wrote:
> On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
> > With ipchains you can make the following:
> > 
> > ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY
> 
> What this says is: all packets with destination 192.168.0.1 must not
> have come from eth1 or they will be denied.
> 
> Why do you choose to specify the rule this way and not like this:
> ipchains -A input -i eth0 ! -d 192.168.0.1 -j DENY
> In other words: all packets coming from eth0 must have destination
> 192.168.0.1 or they will be denied?

I'm not the original author, but I use ! <interface> too.

Using ! <destination> would break ip forwarding.  If your box is a
gateway/router/firewall, it will drop all packets not destined for
192.168.0.1 (itself).
> 
> Please explain.  Is it because you may later want to put your ethernet
> card into promiscuous mode and thus receive packets with any destination
> as if they were for you?  My rule above would prevent this whereas your
> rule would not.  Both rules would prevent the attacker trying to
> circumvent the sshd bound IP address restriction however.
> 
> Can you explain why you choose your rule.
> 
> Cheers.
> Mark.
-- 
Berend De Schouwer

Reply to:

Follow-Ups:
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: mdevin <mdevin@ozemail.com.au>

References:
- Fw: Can a daemon listen only on some interfaces?
  - From: "Phillip Hofmeister" <plhofmei@svsu.edu>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: Guido Hennecke <g.hennecke@t-online.de>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: mdevin@ozemail.com.au
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: Guido Hennecke <g.hennecke@t-online.de>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: "Phillip Hofmeister" <plhofmei@svsu.edu>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: Guido Hennecke <g.hennecke@t-online.de>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: mdevin <mdevin@ozemail.com.au>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: Guido Hennecke <g.hennecke@t-online.de>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: mdevin <mdevin@ozemail.com.au>

Prev by Date: Re: Fw: Can a daemon listen only on some interfaces?
Next by Date: Re: Can a daemon listen only on some interfaces?
Previous by thread: Re: Fw: Can a daemon listen only on some interfaces?
Next by thread: Re: Fw: Can a daemon listen only on some interfaces?
Index(es):
- Date
- Thread