guy keren wrote:
That's assuming you have any special "trust" relations with any private IP (thus, you want to prevent any outside machine pretending as an "inside" one). Otherwise, why block them in the first place?On the PPP interface, you cannot detect spoofed messages with this
method, since any IP coming from the Internet is legit.
but, assuming that on the ppp0 you have a "true" IP address (i.e. not in one of the private IP ranges), then you simply would place an iptables rule denying any incoming packets whose source address is in one of the 'private' IP ranges. again, _only_ on ppp0.
Also, when trust of packet's physical origin is important, it's a far more concise practice to simply bind the sensitive service to the eth0 interface only.
On the ETH interface, the cable company's router (CMTS) protects you
from spoofing by employing techniques like "source-verify":
http://www.cisco.com/en/US/tech/tk86/tk803/technologies_tech_note09186a00800a7828.shtml
as i understand it, the only address on which you're supposed to talk over eth0, is your local modem's address (either via dhcp, or via pptp).
Over the cable network, you can receive legitimate connections from:
1. Your peers on the cable network (e.g. if you decide to play Quake against your neighbour without connecting to the Internet),
2. Your ISP's PPTP server.
Packets you receive may have *any* source address (though it'd be silly if the cable company would hijack a non-private IP zone for use within their network...). You should not filter by source address.
So how can you trust the source address of the packets you receive? Simple. The following rule, that applies on you, applies on all other cable company subscribers as well:
Given an outgoing packet, the cable company's router (a.k.a. CMTS) will only pass it onwards (to other customers, to the ISP's RAS point...) *if* its source address matches one of the addresses DHCP-allocated to the physical[*] origin of the packet.
[*] Every modem is a physical origin; You cannot hijack an IP allocated to your neighbour. There are technical measures to know which customer's modem sent out the packet.
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]