Julian Anastasov <ja@xxxxxx> wrote:
> On Sat, 2 Mar 2002 erich@xxxxxxxx wrote:
>
> > That's not what I was talking about. I'm talking about
> > Destination Address Validation based on the network you're getting
> > the packet from, before it's passed on up to the protocol layers
> > to the application.
>
> :) You want to restrict the access to one device.
> Use firewall rules.
Well, I'm arguing for default behavior here of the ARP and acceptance
of packets to interfaces. I agree that, if you want exotic effects,
you can do whatever you want.
Given my argument about the standard interpretation, I think that
it's reasonable to have, for default behavior, what people would
expect to happen. Why make it work for people to bulletproof
Linux in relatively simple configurations?
> > This is, frankly, the most important part for determining if you
> > want to firewall off a packet from the wrong place. And if you
>
> Think different:
...
Er, you're talking about more exotic stuff. I'm talking simply
the determination: Is the host from physically inside or outside
of your network?
Anyone can craft packets to look like whatever they want if the machine
is close enough to you on the network (esp. if they're on the same
switched subnet, say).
This is a real thing you see often enough nowadays with Wireless networks
that have been dropped just outside of firewalls because WEP encryption
is broken.
So, just the simple protection of: If I don't enable the "accept packets
from any interface for any other interface" mode, then act like the network
is distinct and validated to be so for each interface, with no bleed-over.
Heck, you might even want specific iptables or somesuch capabilities to
explicitly allow that kind of internal routing to the interfaces and
application layer.
--
Erich Stefan Boleyn <erich@xxxxxxxx> http://www.uruk.org/
"Reality is truly stranger than fiction; Probably why fiction is so popular"
|