On Mon, Dec 10, 2001 at 09:31:09AM +0200, Berend De Schouwer wrote: > On Mon, 2001-12-10 at 08:19, mdevin wrote: > > On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote: > > > With ipchains you can make the following: > > > > > > ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY > > > > What this says is: all packets with destination 192.168.0.1 must not > > have come from eth1 or they will be denied. > > > > Why do you choose to specify the rule this way and not like this: > > ipchains -A input -i eth0 ! -d 192.168.0.1 -j DENY > > In other words: all packets coming from eth0 must have destination > > 192.168.0.1 or they will be denied? > > I'm not the original author, but I use ! <interface> too. > > Using ! <destination> would break ip forwarding. If your box is a > gateway/router/firewall, it will drop all packets not destined for > 192.168.0.1 (itself). > > OK, I see the problem. However, I think this only applies to ipchains where forwarded packets traverse the input and output chains.
Sorry, I was transposing my thoughts into ipchains rules. Actually my firewall is iptables based. In iptables, packets that are being masqueraded traverse only the FORWARD chain and not the INPUT or OUTPUT chains. Thus if the rule was: iptables -A INPUT -i eth0 ! -d 192.168.0.1 -j DROP this should be OK I guess. Since packets on the INPUT are destined only to localhost. All packets that need to be forwarded will traverse only the FORWARD chain and thus will not be checked against this rule. Thus on an iptables based firewall is there a preferance for which is the better approach? It is just that I came up with the rule above because it seemed more straightforward. In other words: If the packet came from interface eth0 and it is directed to localhost (INPUT chain) then it must have destination address 192.168.0.1 or we will DROP it. And you can make similar rules for every interface the firewall has. But I guess the same applies for the ipchains rule you use. It is just that the primary focus is on the IP address of each interface rather than the interface itself. The more I think about it, it doesn't seem to matter in iptables, unless you are putting your ethernet card into promiscuous mode or something. 'Cause then I guess you would see lots of packets not addressed to you coming in your INPUT chain. Then that iptables rule would DROP them all unless they were specifically addressed to you, whereas if I used your style of rule then other packets not addressed to my box directly would still get through. I don't know anything about ethernet cards in promiscuous mode - so not sure about this. What do you think? And thanks for highlighting that ipchains difference, I had forgotten about that. Since January, I have only been using iptables. Cheers. Mark.
pgpfk8ar4ESTJ.pgp
Description: PGP signature
