On 3/21/2014 8:19 AM, Hervé Werner wrote: > Hello. > > I'm was studying the smurf protection and was astonished to see that a > RETURN rule without any IP restriction is written first in the chain : > -A smurfs -s 0.0.0.0/32 -j RETURN > -A smurfs -m addrtype --src-type BROADCAST -g smurflog > -A smurfs -s 224.0.0.0/4 -g smurflog > > That mean that all packets will return and none will go into the > smurflog chain (and then be dropped), right ?
No -- that says that if the source IP address is zero, then we return. That is necessary in order to not break DHCP. > > I tested the smurf attack to see how Shorewall would behave, > unfortunately current Linux kernel considers them to be martians and > thus prevent them from reaching Shorewall. > > > I'm also wondering why Shorewall is sometimes using "addrtype MULTICAST" > and other times as above "-s 224.0.0.0/4" ? Just depends on when the code was written. > > Information about my setup : Shorewall version 4.5.21.7 fetched from > Debian testing repository. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
