At 10.12.2001, mdevin wrote: > On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote: > > With ipchains you can make the following: > > ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY > What this says is: all packets with destination 192.168.0.1 must not > have come from eth1 or they will be denied. Hmmm... All Packets come in over eth1 with destination 192.168.0.1 will be denied. > Why do you choose to specify the rule this way and not like this: > ipchains -A input -i eth0 ! -d 192.168.0.1 -j DENY Because it was just an example. > In other words: all packets coming from eth0 must have destination > 192.168.0.1 or they will be denied? It depends on your network. If this system has to route packets to 192.168.0.0/16 this rule will deny all other than destination 192.168.0.1. > Please explain. Is it because you may later want to put your ethernet > card into promiscuous mode and thus receive packets with any destination > as if they were for you? ? > My rule above would prevent this whereas your > rule would not. Both rules would prevent the attacker trying to > circumvent the sshd bound IP address restriction however. > > Can you explain why you choose your rule. It was just an example. Everyone who writes rules hast to make it the best way for the own network. It is not possible to write rules that are ok for all systems. Regards, Guido
Attachment:
pgpmEvliY0lJ1.pgp
Description: PGP signature