[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: Can a daemon listen only on some interfaces?

At 10.12.2001, mdevin wrote:
> On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote:
> > With ipchains you can make the following:
> > ipchains -A input -i ! eth1 -d -j DENY
> What this says is: all packets with destination must not
> have come from eth1 or they will be denied.

Hmmm... All Packets come in over eth1 with destination will
be denied.

> Why do you choose to specify the rule this way and not like this:
> ipchains -A input -i eth0 ! -d -j DENY

Because it was just an example.

> In other words: all packets coming from eth0 must have destination
> or they will be denied?

It depends on your network. If this system has to route packets to this rule will deny all other than destination

> Please explain.  Is it because you may later want to put your ethernet
> card into promiscuous mode and thus receive packets with any destination
> as if they were for you?


> My rule above would prevent this whereas your
> rule would not.  Both rules would prevent the attacker trying to
> circumvent the sshd bound IP address restriction however.
> Can you explain why you choose your rule.

It was just an example. Everyone who writes rules hast to make it the
best way for the own network. It is not possible to write rules that are
ok for all systems.

Regards, Guido

Attachment: pgpmEvliY0lJ1.pgp
Description: PGP signature

Reply to: