Re: Fw: Can a daemon listen only on some interfaces?

To: debian-security@lists.debian.org
Subject: Re: Fw: Can a daemon listen only on some interfaces?
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 10 Dec 2001 13:21:15 +0000
Message-id: <[🔎] 86pu5ncit0.fsf@potato.vegetable.org.uk>
Reply-to: debian@stirfried.vegetable.org.uk
In-reply-to: <[🔎] 20011210231250.C892@flea.home> (mdevin's message of "Mon, 10 Dec 2001 23:12:51 +1000")
References: <[🔎] 002501c180d9$37b2ae40$0300000a@Oneil> <[🔎] 86adwsjn6w.fsf@potato.vegetable.org.uk> <[🔎] E16D8xU-0007vy-00@debian.dyndns.org> <[🔎] 20011210102637.B1171@flea.home> <[🔎] E16DEeC-000294-00@debian.dyndns.org> <[🔎] 20011210161957.A3525@flea.home> <[🔎] 1007969470.974.2.camel@bds.ucs.co.za> <[🔎] 20011210222300.A892@flea.home> <[🔎] E16DPrP-00078R-00@debian.dyndns.org> <[🔎] 861yi3dym0.fsf@potato.vegetable.org.uk> <[🔎] 20011210231250.C892@flea.home>

mdevin <mdevin@ozemail.com.au> writes:

[snip firewall overview]
> > how come packets still seem to get dropped when being forwarded between
> > interfaces?
>
> I am not sure I have totall gotten what you are trying to do here. But,
> the packets will be dropped instead of being forwarded between interfaces
> because that is exactly what you have specified in your rules.
> 
> What happens is this:
> 1. A packet comes in through one of your interfaces.
> 2. It hits the PREROUTING chain - where DNAT can occur or any tracked
> connections are de-SNATted or de-MASQUERADED.
> 3. Routing decision is made.  Here is where the decision is made whether
> the packet is destined for localhost or to go out another interface.
> 4a. If the packet is destined for localhost then it traverses the INPUT
> chain.
> 4b. If the packet is for another host then it traverses the FORWARD
> chain.

Righty. That's much as I expected.

> Thus what your rules will do is:
> Any packet not destined for localhost will traverse the FORWARD chain
> and will be -j (jumpped) to your block (user defined) chain.  This will
> presumably LOG and the DROP the packets.  Thus all your FORWARDED
> packets will be DROPPED.

Ultimately, I want input & forward to be drop-by-default. However, the
`block' chain is meant to be good for both input & forward scenarios; it
has rules for stateful filtering and `open' things, then a drop & log. If I
put in a rule matching -i and/or -o as appropriate, it still doesn't seem
to work. Maybe I've done something wrong (and I don't really want to post
ork's firewall in any more detail).

> This is of course only if you don't have other rules in your FORWARD
> chain which explicitly ACCEPT the packets before they hit the FORWARD
> chain rule you have written above.

What about if I kick *all* packets from forward onto `block', though?
That's the bit I'm not wholly happy about.

~Tim
-- 
A spark of life                             |piglet@stirfried.vegetable.org.uk
On a wire from heaven                       |http://spodzone.org.uk/

Reply to:

Follow-Ups:
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: mdevin <mdevin@ozemail.com.au>

References:
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: "Phillip Hofmeister" <plhofmei@svsu.edu>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: Guido Hennecke <g.hennecke@t-online.de>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: mdevin <mdevin@ozemail.com.au>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: Guido Hennecke <g.hennecke@t-online.de>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: mdevin <mdevin@ozemail.com.au>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: Berend De Schouwer <bds@jhb.ucs.co.za>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: mdevin <mdevin@ozemail.com.au>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: Guido Hennecke <g.hennecke@t-online.de>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: Fw: Can a daemon listen only on some interfaces?
  - From: mdevin <mdevin@ozemail.com.au>

Prev by Date: Re: Fw: Can a daemon listen only on some interfaces?
Next by Date: Re: Fw: Can a daemon listen only on some interfaces?
Previous by thread: Re: Fw: Can a daemon listen only on some interfaces?
Next by thread: Re: Fw: Can a daemon listen only on some interfaces?
Index(es):
- Date
- Thread