[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: Can a daemon listen only on some interfaces?

Hash: SHA1

Content-Type: text/plain; charset=us-ascii

In message <[🔎] 20011209210331.A24517@khazad-dum>, Henrique de Moraes Holschuh writ
>On Sun, 09 Dec 2001, Guido Hennecke wrote:
>> At 09.12.2001, Henrique de Moraes Holschuh wrote:
>> > On Sun, 09 Dec 2001, Guido Hennecke wrote:
>> > >  Gateway <your official ip address>   Interface <his
>> > >         externel interface>
>> > > 
>> > > he can reach your service bound to And this without
>> > > activating ip_forward on your computer!
>> > Is this true even if the policy of the forward chain (for ipchains) is set
>> > to deny ? (and the equivalent, for iptables) ?
>> Those packets did not go throught the forwards chain. For local
>> interfaces no routing is needed.
>If they came over the network, they should have. That is a broken behaviour
>(breaks principle of less surprise, at the very least).
>Well, ipmasq needs an update to trash anything incoming and outgoing from
>!lo with a destination of then.

It already does this.  Check out /etc/ipmasq/rules/I15lospoof.def. It also
blocks and logs packets coming from external interfaces claiming to be from an
internal address in the /etc/ipmasq/rules/I70masq.def file.  The ipmasq 
firewall is very careful about blocking these sorts of attacks.  The only 
change I make to its default operation is to lock down the external 

- -- 
Ted Cabeen           http://www.pobox.com/~secabeen            ted@impulse.net 
Check Website or Keyserver for PGP/GPG Key BA0349D2         secabeen@pobox.com
"I have taken all knowledge to be my province." -F. Bacon  secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot        cabeen@netcom.com

Version: GnuPG v1.0.6 (OpenBSD)
Comment: Exmh version 2.5 07/13/2001


Reply to: