[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: Can a daemon listen only on some interfaces?

On Mon, Dec 10, 2001 at 09:31:09AM +0200, Berend De Schouwer wrote:
> On Mon, 2001-12-10 at 08:19, mdevin wrote:
> > On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
> > > With ipchains you can make the following:
> > > 
> > > ipchains -A input -i ! eth1 -d -j DENY
> > 
> > What this says is: all packets with destination must not
> > have come from eth1 or they will be denied.
> > 
> > Why do you choose to specify the rule this way and not like this:
> > ipchains -A input -i eth0 ! -d -j DENY
> > In other words: all packets coming from eth0 must have destination
> > or they will be denied?
> I'm not the original author, but I use ! <interface> too.
> Using ! <destination> would break ip forwarding.  If your box is a
> gateway/router/firewall, it will drop all packets not destined for
> (itself).
> > 
OK, I see the problem.  However, I think this only applies to ipchains
where forwarded packets traverse the input and output chains.

Sorry, I was transposing my thoughts into ipchains rules.  Actually my
firewall is iptables based.  In iptables, packets that are being
masqueraded traverse only the FORWARD chain and not the INPUT or OUTPUT
chains.  Thus if the rule was:
iptables -A INPUT -i eth0 ! -d -j DROP
this should be OK I guess.  Since packets on the INPUT are destined only
to localhost.

All packets that need to be forwarded will traverse only the FORWARD
chain and thus will not be checked against this rule.

Thus on an iptables based firewall is there a preferance for which is
the better approach?  It is just that I came up with the rule above
because it seemed more straightforward.  In other words: If the packet
came from interface eth0 and it is directed to localhost (INPUT chain)
then it must have destination address or we will DROP it.
And you can make similar rules for every interface the firewall has.
But I guess the same applies for the ipchains rule you use.  It is just
that the primary focus is on the IP address of each interface rather
than the interface itself.

The more I think about it, it doesn't seem to matter in iptables, unless
you are putting your ethernet card into promiscuous mode or something.
'Cause then I guess you would see lots of packets not addressed to you
coming in your INPUT chain.  Then that iptables rule would DROP them all
unless they were specifically addressed to you, whereas if I used your
style of rule then other packets not addressed to my box directly would
still get through.  I don't know anything about ethernet cards in
promiscuous mode - so not sure about this.

What do you think?  And thanks for highlighting that ipchains
difference, I had forgotten about that.  Since January, I have only been
using iptables.


Attachment: pgptc7bNgmuix.pgp
Description: PGP signature

Reply to: