Hi,
> many BSD based systems, it is possible to ping an inside interface from
> the outside, even with IP forwarding turned off (so I have been told).
> I know for a fact that Linux-2.0 and higher (and probably earlier as
> well) are not vulnerable to this.
Linux IS vulnerable to it. It will accept packets from outside on a
interface if the packet matches any of the systems addresses. Outgoing
packets however are nly recognized as local ones, if there is a route that
points to the interface. (Otherwise the packet will be send and the arp code
recognizes it and prints a: 'arp called for my own ip address'.
Since Linux has a interface based firewalling this is not realy a problem.
Geenral Firewall rules should always mask out addresses which should never
happen on a specific interface.
Greetings
Bernd
--
(OO) -- Bernd_Eckenfels @
Wittumstrasse13 .
76646Bruchsal .
de --
( .. ) ecki @
lina .
{inka .
de,ka.sub.org} http://home.pages.de/~eckes/
o--o *plush* 2048/A2C51749 eckes @
irc +4972573817 *plush*
(O____O) If privacy is outlawed only Outlaws have privacy
Follow-Ups:
References:
|
|
