Hello,
On Sat, 2 Mar 2002 erich@xxxxxxxx wrote:
> That's not what I was talking about. I'm talking about
> Destination Address Validation based on the network you're getting
> the packet from, before it's passed on up to the protocol layers
> to the application.
:) You want to restrict the access to one device.
Use firewall rules.
> This is, frankly, the most important part for determining if you
> want to firewall off a packet from the wrong place. And if you
Think different:
- the hosts have unique IPs
- in most of the cases you don't need to bind somehow the traffic
to device at application layer, you can use the paths provided
from routes
- if you have many paths to one remote IP you can try to distinguish
them by more specific routes specifying selection for the source
addresses or to use alternative routes with failover/balancing
capability
So, the source validation is enough to catch packets
from worng place and additionally can provide the ability to
use many interfaces for incoming/outgoing traffic.
> IP firewalling code in Linux does not fix. I.e. if I wanted to
> have routing as well, but not accept any packets internally *not*
> destined for my interface, I'm not sure how to specify it without
You can do it aslo by using more specific rules, for
example:
ip rule add from local_restricted_ip to each_allowed_remote_net table 100
ip route add each_allowed_remote_net [via XXX] dev XXX src XXX table 100
Such rules restrict the traffic between the local and
remote net only through one device, something similar to the
restriction provided from ISPs: if you are connected to 2 ISPs
with distinct networks you have to use such specific rules
to allow packets from universe to come only from their respective
interface, same for the in->out traffic.
Regards
--
Julian Anastasov <ja@xxxxxx>
|