Date: Tue, 28 Jul 1998 09:55:12 +0200 From: sthaug@nethelp.no To: marcs@znep.com Cc: ben@rosengart.com, security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) Message-ID: <12062.901612512@verdi.nethelp.no> In-Reply-To: Your message of "Mon, 27 Jul 1998 23:06:34 -0700 (PDT)" References: <Pine.GSO.4.00.9807272303400.26598-100000@redfish>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Hrm, that's no good. But if I'm not mistaken, each interface is > > configured with its own address. Does this not give the system enough > > information to reject packets arriving on the wrong interface for their > > address? > > There is no such thing as the "wrong interface". > > It is completely normal and valid to expect that binding to an IP address > will let connections be accepted on that IP address. If routing etc. is > somehow setup so that works when traffic comes in through another > interface, so it should. It is called routing. If your box is setup *not* to route (net.inet.ip.forwarding = 0), I can certainly see security advantages in not allowing packets to be accepted unless they have destination address equal to the interface address. I have seen a patch for this floating around on the net, but it would be nice to have this configurable. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?12062.901612512>