TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[chewie@wookimus.net: Interface Envy]
I'm forwarding this to the TCLUG list since responses are a little faster
than through debian-firewall ;-).
^chewie
----- Forwarded message from ^chewie <chewie@wookimus.net> -----
From: ^chewie <chewie@wookimus.net>
To: debian-firewall@lists.debian.org
Subject: Interface Envy
I've got a strange problem here, though it may not really be a problem.
I've set up my firewall in the same manner as described in the
IPCHAINS-HOWTO, Section 7 [1]. In it, I've described an interface chain
for my Internet interface: inet-if.
The linking rule for the inet-if is found in the 'input' chain:
ipchains -A input -d <inet_ip_addr> -j inet-if
The first rule of the inet-if chain is to DENY any input on interfaces
other than the Internet interface (in this case eth1).
ipchains -A inet-if -i ! eth0 -j DENY -l
Now, this seems very logical, but I get the following type of message
quite often:
Jan 26 09:15:42 mirax kernel: Packet log: inet-if DENY lo PROTO=6
209.98.238.114:1680 209.98.238.114:25 L=60 S=0x00 I=25925 F=0x4000
T=64 SYN (#1)
The 'lo' interface is posing as the eth0 interface. What gives? Should I
create a chain to allow lo interface access to all of my other interface
IP's.
ipchains -I inet-if 1 -i lo -s <inet_ip_addr> -j ACCEPT -l
Thanks,
^chewie
References:
[1] IPCHAINS-HOWTO <http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html>
--
Chad Walstrom mailto:chewie@wookimus.net
a.k.a ^chewie, gunnarr http://wookimus.net/~chewie
----- End forwarded message -----
PGP signature