Re: Fw: Can a daemon listen only on some interfaces?
mdevin <firstname.lastname@example.org> writes:
[snip firewall overview]
> > how come packets still seem to get dropped when being forwarded between
> > interfaces?
> I am not sure I have totall gotten what you are trying to do here. But,
> the packets will be dropped instead of being forwarded between interfaces
> because that is exactly what you have specified in your rules.
> What happens is this:
> 1. A packet comes in through one of your interfaces.
> 2. It hits the PREROUTING chain - where DNAT can occur or any tracked
> connections are de-SNATted or de-MASQUERADED.
> 3. Routing decision is made. Here is where the decision is made whether
> the packet is destined for localhost or to go out another interface.
> 4a. If the packet is destined for localhost then it traverses the INPUT
> 4b. If the packet is for another host then it traverses the FORWARD
Righty. That's much as I expected.
> Thus what your rules will do is:
> Any packet not destined for localhost will traverse the FORWARD chain
> and will be -j (jumpped) to your block (user defined) chain. This will
> presumably LOG and the DROP the packets. Thus all your FORWARDED
> packets will be DROPPED.
Ultimately, I want input & forward to be drop-by-default. However, the
`block' chain is meant to be good for both input & forward scenarios; it
has rules for stateful filtering and `open' things, then a drop & log. If I
put in a rule matching -i and/or -o as appropriate, it still doesn't seem
to work. Maybe I've done something wrong (and I don't really want to post
ork's firewall in any more detail).
> This is of course only if you don't have other rules in your FORWARD
> chain which explicitly ACCEPT the packets before they hit the FORWARD
> chain rule you have written above.
What about if I kick *all* packets from forward onto `block', though?
That's the bit I'm not wholly happy about.
A spark of life |email@example.com
On a wire from heaven |http://spodzone.org.uk/