On Fri, 22 Oct 2004, Ilya Konstantinov wrote: > guy keren wrote: > > >>On the PPP interface, you cannot detect spoofed messages with this > >>method, since any IP coming from the Internet is legit. > > > >but, assuming that on the ppp0 you have a "true" IP address (i.e. not in > >one of the private IP ranges), then you simply would place an iptables > >rule denying any incoming packets whose source address is in one of the > >'private' IP ranges. again, _only_ on ppp0. > > > That's assuming you have any special "trust" relations with any private > IP (thus, you want to prevent any outside machine pretending as an > "inside" one). Otherwise, why block them in the first place?
because that's normally a sign of an invalid or malicious packet. > Also, when trust of packet's physical origin is important, it's a far > more concise practice to simply bind the sensitiveservice to the eth0 > interface only. true. > >>On the ETH interface, the cable company's router (CMTS) protects you > >>from spoofing by employing techniques like "source-verify": > >>http://www.cisco.com/en/US/tech/tk86/tk803/technologies_tech_note09186a00800a7828.shtml > > > >as i understand it, the only address on which you're supposed to talk over > >eth0, is your local modem's address (either via dhcp, or via pptp). > > > Over the cable network, you can receive legitimate connections from: > > 1. Your peers on the cable network (e.g. if you decide to play Quake > against your neighbour without connecting to the Internet), do people do that? > 2. Your ISP's PPTP server. funny - i thought that the pptp connection is established with your local modem - not with the ISP's server(s). some kind of an extra tunneling... > Packets you receive may have *any* source address (though it'd be silly > if the cable company would hijack a non-private IP zone for use within > their network...). You should not filter by source address. since this won't be done, you can block other addresses safely. > So how can you trust the source address of the packets you receive? > Simple. The following rule, that applies on you, applies on all other > cable company subscribers as well: (i'm not a cable company subscriber ;) ) > Given an outgoing packet, the cable company's router (a.k.a. CMTS) will > only pass it onwards (to other customers, to the ISP's RAS point...) > *if* its source address matches one of the addresses DHCP-allocated to > the physical[*] origin of the packet. > > [*] Every modem is a physical origin; You cannot hijack an IP allocated > to your neighbour. There are technical measures to know which customer's > modem sent out the packet. this is, ofcourse, assuming we trust the cable company's setup. do we? -- guy "For world domination - press 1, or dial 0, and please hold, for the creator." -- nob o. dy ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
