Re: Fw: Can a daemon listen only on some interfaces?
On Mon, 2001-12-10 at 08:19, mdevin wrote:
> On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
> > With ipchains you can make the following:
> >
> > ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY
>
> What this says is: all packets with destination 192.168.0.1 must not
> have come from eth1 or they will be denied.
>
> Why do you choose to specify the rule this way and not like this:
> ipchains -A input -i eth0 ! -d 192.168.0.1 -j DENY
> In other words: all packets coming from eth0 must have destination
> 192.168.0.1 or they will be denied?
I'm not the original author, but I use ! <interface> too.
Using ! <destination> would break ip forwarding. If your box is a
gateway/router/firewall, it will drop all packets not destined for
192.168.0.1 (itself).
>
> Please explain. Is it because you may later want to put your ethernet
> card into promiscuous mode and thus receive packets with any destination
> as if they were for you? My rule above would prevent this whereas your
> rule would not. Both rules would prevent the attacker trying to
> circumvent the sshd bound IP address restriction however.
>
> Can you explain why you choose your rule.
>
> Cheers.
> Mark.
--
Berend De Schouwer
Reply to: