On Mon, 2001-12-10 at 08:19, mdevin wrote: > On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote: > > With ipchains you can make the following: > > > > ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY > > What this says is: all packets with destination 192.168.0.1 must not > have come from eth1 or they will be denied. > > Why do you choose to specify the rule this way and not like this: > ipchains -A input -i eth0 ! -d 192.168.0.1 -j DENY > In other words: all packets coming from eth0 must have destination > 192.168.0.1 or they will be denied?
I'm not the original author, but I use ! <interface> too. Using ! <destination> would break ip forwarding. If your box is a gateway/router/firewall, it will drop all packets not destined for 192.168.0.1 (itself). > > Please explain. Is it because you may later want to put your ethernet > card into promiscuous mode and thus receive packets with any destination > as if they were for you? My rule above would prevent this whereas your > rule would not. Both rules would prevent the attacker trying to > circumvent the sshd bound IP address restriction however. > > Can you explain why you choose your rule. > > Cheers. > Mark. -- Berend De Schouwer
