hi, Does shorewall prevent automatically IP spoofing by filtering IP addresses depending on interfaces ? if yes, where does it setted ? I think that we have to set it by hand through /etc/shorewall/rules. Am I true ? Thx for your attention. -- Baptiste SIMON aka BeTa Administrateur syst?me GNU/Linux & Unix 3, avenue de la Calypso 44000 Nantes 06 75 79 28 48
On Wed, 13 Aug 2003, BeTa wrote:> hi, > > Does shorewall prevent automatically IP spoofing by filtering IP > addresses depending on interfaces ? if yes, where does it setted ? > > I think that we have to set it by hand through /etc/shorewall/rules. Am > I true ? >I just answered this question last weekend on the LEAF list. Shorewall anti-spoofing measures include: a) ALL shorewall rules and policies are conditioned by BOTH interface and IP address. b) Shorewall supports the ''routefilter'' interface option that rejects all packets received on an interface where the source IP would not be routed back out that same interface. c) The ''norfc1918'' interface option allows handling of RFC 1918 reserved addresses on selected interfaces. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> a) ALL shorewall rules and policies are conditioned by BOTH interface and > IP address.and where do we set up this IP address ??> b) Shorewall supports the ''routefilter'' interface option that rejects all > packets received on an interface where the source IP would not be routed > back out that same interface.that''s already known... perfect :c)> c) The ''norfc1918'' interface option allows handling of RFC 1918 reserved > addresses on selected interfaces.idem. thanks... -- BeTa
On Wed, 13 Aug 2003, BeTa wrote:> > a) ALL shorewall rules and policies are conditioned by BOTH interface and > > IP address. > > and where do we set up this IP address ?? >You don''t have a choice. It is fundimental to the Shorewall design. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 12 Aug 2003, Tom Eastep wrote:> On Wed, 13 Aug 2003, BeTa wrote: > > > > a) ALL shorewall rules and policies are conditioned by BOTH interface and > > > IP address. > > > > and where do we set up this IP address ?? > > > > You don''t have a choice. It is fundimental to the Shorewall design. >What I''m saying is that the way that Shorewall defines zones, a zone is always associated with a set of interfaces (and possibly with IP addresses accessed through those interfaces). ANY ip address that you specify in a rule must be qualfied by a zone and that means that it is implicitly qualified by one or more interfaces. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net