Re: [Fwbuilder-discussion] Block martians from 127.0.0.1
Brought to you by:
mikehorn
From: R. <bj...@se...> - 2004-05-27 19:18:35
|
tor, 27.05.2004 kl. 21.03 skrev Bjørn Rasmussen: > tor, 27.05.2004 kl. 16.20 skrev Vadim Kurland: > > On May 27, 2004, at 5:51 AM, Bjørn Rasmussen wrote: > > > > > > > > Yes I did that, but still martians with source address 127.0.0.1 are > > > not > > > blocked. I've a "allow all rule" for the "lo" interface (any source, > > > destination and service). Using "iptables -L -n -v", I see this rule > > > is > > > inserted before the spoofing rule in the input chain, ment to block > > > martians with source address 127.0.0.1. Is there any way to get around > > > this? Anybody that have managed to block these martians? > > > > > > > anti-spoofing rules are bound to the external interface, while "allow > > all" rule is bound to the loopback interface. These rules are > > orthogonal, they never inspect the same packets because of these > > different interfaces. > > > > Yes, that's what I thought. These rules should be completely safe on an > iptables based firewall: > > # > # Rule 0(lo) > # > # allow everything on loopback > # > $IPTABLES -A INPUT -i lo -j ACCEPT > $IPTABLES -A OUTPUT -o lo -j ACCEPT > > > Are you sure those martians are really coming from outside ? How does > > the log record look like ? > > May 27 01:40:33 gw kernel: martian source 130.67.136.146 from 127.0.0.1, > on dev ippp0 > May 27 01:40:33 gw kernel: ll header: > 45:00:00:28:cb:83:00:00:77:06:ee:75:7f:00:00:01:82:43 > > ... where 130.67.136.146 is a dynamic ip-address on an ISDN-line > (ippp0), and I cannot recognise any part of the hardware-address. > > I'll do a test, placing the external spoofing rules on my LAN interface, > and try spoofing addresses to see what happens in the log. I'll let you > know. The test showed the same result. 127.0.0.1 was not blocked by the rules, while other packets from the LAN was effectively blocked (since spoofing rules moved to the LAN interface were set up to block LAN packets on the external interface in the first place). Again, thanks :-) > > > > > --vk > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: Oracle 10g > > Get certified on the hottest thing ever to hit the market... Oracle 10g. > > Take an Oracle 10g class now, and we'll give you the exam FREE. > > http://ads.osdn.com/?ad_id149&alloc_id66&op=click > > _______________________________________________ > > Fwbuilder-discussion mailing list > > Fwb...@li... > > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |