Op dinsdag 08 mei 2012 02:05:44 schreef imnotpc: [...] > > promiscuous mode means you're passing through from layer 2 to layer 3 > > irrespective of mac address (ie: even if it's not for you) > > > > iptables is not complaining > > > > martians is kernel level, (resource path filtering (for asynchronous > > routing)), before iptables even comes into play. > > So the kernel would log the martian before iptables sees it? That > explains why it isn't dropped by the firewall. But that begs the > question, is there any point in using iptables rules to block packets > from other subnets if iptables will never see them? Just about every > sample firewall ruleset I've ever seen does this either explicitly or by > allowing them to fall through to the default DROP rule. Now that I'm > thinking back, in 10+ years of Linux LAN experience I've never seen a > martian packet logged by any of my firewalls. i just assumed it was good > network management ;-)
yes, because rp_filter level can be adjusted in the kernel :-)
