Re: Rule question - Patrick Schaaf

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Schaaf <bof@bof.de>
To: Patrick Schaaf <bof@bof.de>
Cc: Patrick Petermair <captain.nuke@gmx.at>, netfilter@lists.samba.org
Subject: Re: Rule question
Date: Sat, 22 Jun 2002 09:55:20 +0200	[thread overview]
Message-ID: <20020622095520.I5183@oknodo.bof.de> (raw)
In-Reply-To: <20020622094607.H5183@oknodo.bof.de>; from bof@bof.de on Sat, Jun 22, 2002 at 09:46:08AM +0200

(replying to myself)
> OUTPUT is for packets from local processes on the firewall machine,
> which are going out to one or the other network interface. If you have
> a userlevel process bind()ing the external IP of your firewall, and it
> happens to connect() to a machine on the internal network, that rule
> makes it work.

For the record, there are methods available today [*] which permit you
to even _force_ select user level processes to be bound on the external IP.
In the context of firewalls, that may be a group of application level
proxies which accept "from the outside world". As usual for an application
level proxy, the next thing it does after accept()ing is making a connection
to an internal IP address.

[*] I am thinking of the chbind feature available with the vserver kernel
patches, found at http://www.solucorp.qc.ca/miscprj/s_context.hc
We are actively using that patch, and it makes a great companion to
iptables. The advantage of such "chbinding" is that even when somebody
happens to be able to exploit that application level gateway from the
outside, it will _not_ be able to impersonate any IP address (as a source)
except the one specified at "chbind" time. This keeps your iptables ruleset
intact and sane.

best regards
  Patrick

next prev parent reply	other threads:[~2002-06-22  7:55 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-06-22  7:35 Rule question Patrick Petermair
2002-06-22  7:38 ` Antony Stone
2002-06-22  7:46 ` Patrick Schaaf
2002-06-22  7:53   ` Antony Stone
2002-06-22  8:08     ` Patrick Schaaf
2002-06-22  8:17       ` Patrick Schaaf
2002-06-22  7:55   ` Patrick Schaaf [this message]
2002-06-22  7:46 ` Antony Stone
2002-06-26 14:57   ` Joe Patterson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20020622095520.I5183@oknodo.bof.de \
    --to=bof@bof.de \
    --cc=captain.nuke@gmx.at \
    --cc=netfilter@lists.samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.