[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: Can a daemon listen only on some interfaces?

On Mon, Dec 10, 2001 at 12:22:44PM +0000, Tim Haynes wrote:
> Plato <tom@redant.freeserve.co.uk> writes:
> > > >         echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter
> > > > with    echo 1 > /proc/sys/net/ipv4/conf/*/log_martians
> > > > for logging/fun purposes.
> > > 
> > > rp_filter will not help with that.
> > 
> > I thought that rp_filter was for precisely this. Doesn't it stop packets
> > which appear on interfaces with invalid IP addresses for that interface
> > from getting through?
> It's a return-path filter; if flipping the src/dest IP#s wouldn't send it
> back out the same interface, it doesn't come in at all. 
> So a specially routed packet from a.b.c.d -> coming in on eth0
> becomes a             packet from -> a.b.c.d going back out
> That certainly looks wrong to me, although I'm not /sure/ it would produce
> the required interface conflict for rp_filter.

Hmmm.  I don't know.

On the test I ran in another part of this thread
where I put a rule into my routing table to make packets destined for get sent via loopback.  Then made sshd bind to address  Then I was able to ssh into my box via the loopback
interface by doing this: ssh Even though: ssh was

All this was done while my iptables firewall was loaded and it does have
the following in it:
# Enable IP spoofing protection - turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f

However, the difference is that the packets that were being sent
actually have destination address and source address  And this didn't cause any problem for the return path
filter.  Whereas it might if it was trying to send back packets with a
source of and a destination of a.b.c.d.

I can't test this at present since I don't have another computer I can
network with this one for a couple of days.  But a test could be run
similar to the one I did earlier to check.


Attachment: pgpM9kh2dI9wj.pgp
Description: PGP signature

Reply to: