Re: Fw: Can a daemon listen only on some interfaces?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message <[🔎] 20011209210331.A24517@khazad-dum>, Henrique de Moraes Holschuh writ
es:
>On Sun, 09 Dec 2001, Guido Hennecke wrote:
>> At 09.12.2001, Henrique de Moraes Holschuh wrote:
>> > On Sun, 09 Dec 2001, Guido Hennecke wrote:
>> > > 127.0.0.1 Gateway <your official ip address> Interface <his
>> > > externel interface>
>> > >
>> > > he can reach your service bound to 127.0.0.1. And this without
>> > > activating ip_forward on your computer!
>> > Is this true even if the policy of the forward chain (for ipchains) is set
>> > to deny ? (and the equivalent, for iptables) ?
>>
>> Those packets did not go throught the forwards chain. For local
>> interfaces no routing is needed.
>
>If they came over the network, they should have. That is a broken behaviour
>(breaks principle of less surprise, at the very least).
>
>Well, ipmasq needs an update to trash anything incoming and outgoing from
>!lo with a destination of 127.0.0.1/8 then.
It already does this. Check out /etc/ipmasq/rules/I15lospoof.def. It also
blocks and logs packets coming from external interfaces claiming to be from an
internal address in the /etc/ipmasq/rules/I70masq.def file. The ipmasq
firewall is very careful about blocking these sorts of attacks. The only
change I make to its default operation is to lock down the external
interface.
- --
Ted Cabeen http://www.pobox.com/~secabeen ted@impulse.net
Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@pobox.com
"I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE8FO+BoayJfLoDSdIRAgxhAKCYYeJrtaUAtbbeGowq1hBE2GyaCACgkKhf
gmdv3uF0kXlJkN2V/gukl9k=
=bm4W
-----END PGP SIGNATURE-----
Reply to: