* Subba Rao <[EMAIL PROTECTED]> [030622 01:16]: > I am using iptables on my system. It is very basic setup that denies all > outside connections. When an outside connection is attempted, the packet is > dropped and logged into the syslog. When I run tcpdump on the same interface, > I do see a lot of ARP requests and bootps/bootpc (UDP) requests. Why are these > attempts not logged into syslog? > > Is it because ARP requests are a lower level protocol?
ARP is normally not handled by iptables, it is a lower level protocol and is used to initiate sending requests to you, before a TCP connection can be established the sender will send you an ARP request and cannot send you anything before an ARP reply is sent to him. Only after that you will see the IP packet sent to you. This is ofcourse relevant to Ethernet only (including ETHoA). There is a module for iptables to handle ARPs, but I haven't tried it yet. I believe that normally iptables doesn't even bother looking at the ARP protocol. So that even if your firewall has a block all rule, ARPs will still pass. > Another question is, when a legitimate packet is allowed and climbing the > TCP/IP stack, who (iptables or tcpdump) gets to see the packet first? Both will see it, I don't remember the exact code flow, but if there is tcpdump listening on the interface, the packets will be cloned very early in the process and will be sent to tcpdump to watch, and the original will be sent to iptables to be checked if it is allowed to up in the IP stack. The packets that go to tcpdump are read from usermode and will never traverse the IP stack. This way you can see everything that comes to/from you, and still block it. Baruch
pgp00000.pgp
Description: PGP signature
