Hello,
On Wednesday 22 May 2002 14:27, Ben Reser wrote: > > [...] > > it is now possible to fake the source IP dynamically > > (using the dest of the original packet as the fake > > source IP), as per explained in this thread : > > http://lists.samba.org/pipermail/netfilter/2002-February/020237.html > > I've reformated the patch so it will apply on the latest CVS tree. > What's the point of putting bogus data out like this? If your ISP doesn't > suck it'll get dropped anyway by an egress filter. Well, say your firewall is 202.58.4.3, your webservers are 202.58.4.7-20 and all traffic from outside to your webservers is filtered by your firewall. Now you can tell your firewall : if packet src != trusted and dest=202.58.4.7-20 destport != 80 then reject the packet with icmp unreach that seems to come from the webserver itself (and not from the firewall so you won't detect the firewall so easyly). an egress filter at your ISP will not drop such packets, because as far as it's concerned, this packets comes from legitimate sources... Off course, if you don't use the new option of Guillaume, you can still do it by hand with the old patch, but you'll need many rules, one for each webserver in our case. And sure enough, if you fake to an ip address not allocated to you by your ISP and your ISP have an egress filter, then it will be dropped... Have a nice day, Fabrice. -- Fabrice MARIE Senior R&D Engineer Celestix Networks http://www.celestix.com/ "Silly hacker, root is for administrators" -Unknown
