Re: Fw: Can a daemon listen only on some interfaces?
-----BEGIN PGP SIGNED MESSAGE-----
Content-Type: text/plain; charset=us-ascii
In message <[🔎] 20011209210331.A24517@khazad-dum>, Henrique de Moraes Holschuh writ
>On Sun, 09 Dec 2001, Guido Hennecke wrote:
>> At 09.12.2001, Henrique de Moraes Holschuh wrote:
>> > On Sun, 09 Dec 2001, Guido Hennecke wrote:
>> > > 127.0.0.1 Gateway <your official ip address> Interface <his
>> > > externel interface>
>> > >
>> > > he can reach your service bound to 127.0.0.1. And this without
>> > > activating ip_forward on your computer!
>> > Is this true even if the policy of the forward chain (for ipchains) is set
>> > to deny ? (and the equivalent, for iptables) ?
>> Those packets did not go throught the forwards chain. For local
>> interfaces no routing is needed.
>If they came over the network, they should have. That is a broken behaviour
>(breaks principle of less surprise, at the very least).
>Well, ipmasq needs an update to trash anything incoming and outgoing from
>!lo with a destination of 127.0.0.1/8 then.
It already does this. Check out /etc/ipmasq/rules/I15lospoof.def. It also
blocks and logs packets coming from external interfaces claiming to be from an
internal address in the /etc/ipmasq/rules/I70masq.def file. The ipmasq
firewall is very careful about blocking these sorts of attacks. The only
change I make to its default operation is to lock down the external
Ted Cabeen http://www.pobox.com/~secabeen email@example.com
Check Website or Keyserver for PGP/GPG Key BA0349D2 firstname.lastname@example.org
"I have taken all knowledge to be my province." -F. Bacon email@example.com
"Human kind cannot bear very much reality."-T.S.Eliot firstname.lastname@example.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: Exmh version 2.5 07/13/2001
-----END PGP SIGNATURE-----