Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Block martians with source address 127.0.0.1
From: Konstantin Gavrilenko (mlistsarhont.com)
Date: Tue Jun 01 2004 - 19:40:41 CDT
Cedric Blancher wrote:
> Le lun 31/05/2004 à 12:55, Bjørn Rasmussen a écrit :
>>The kernel on the firewall logs these packets as martians which it
>>should do, but my rules will not log or block these packets. Anybody
>>who knows how to do it? Is it possible? I guess there are situations
>>were malicious persons could at least perform a DoS-attack?
> As a general rule, when a Linux box receive a packet sourced with one of
> its adresses, it is silently discarded at routing process. So your INPUT
> stuff should not see the packet coming.
Since Bjorn mentioned that he uses FreeSWAN for IPSEC.
Bear in mind, that on 2.6 kernels you would have to ammend rules to
allow legitimate packets with private addresses through, since you do
not have a separate interface for decapsulated ESP/AH packets.
> Furthermore, if reverse path filtering (rp_filter) is enabled, then
> martians are automaticly discarded, before they get to INPUT or FORWARD.
Konstantin V. Gavrilenko
Arhont Ltd - Information Security
tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141
PGP: Key ID - 0x4F3608F7
PGP: Server - keyserver.pgp.com