Hi,
> Lets say that we've two interfaces, 130.x.x.x and 192.x.x.x on a=20
> linux firewall, someone sends packet addressed to interface 192 and the
> machines accepts it then it should reply on network 192 not 130?
No, it will reply on the network the route points to:
Firewall External Host
eth1 +------------------+ eth0 +----------+
| <--130.x.x.x | | 10.y.y.y |
| 192.x.x.x --> | +----------+
| default --> |
+------------------+
y.y.y.y on the 192.x.x.x network sends a package to the interface eth0 with
a destination of 130.x.x.x. The Package will be received from the Linux Box
(since it matches on of its interfaces). The Answer to this packet will get
the destination address as the sender (130.x.x.x) and will be send to the
interface the route points to (default=eth0). Therfore it is no problem to
connect from eth0 to the address of eth1. Of yourse you can simply add an
firewall rule that only allows 192.x.x.x destinations on eth0 and 130.x.x.x
destinations on eth1. since this is the default rulesets on screening
routers anyway, there is no problem with that. note that getsockname gives
you the local addess but not the interface!! Therefore xinetd's use will not
be secure, but handy. Since you can give your firewall 2 addresses on the
inside net and do different proxying to destinations (very handy for NNTP (2
servers) if you dont have Transparent Proxies.
Greetings
Bernd
References:
|
|
