* Re: Purpose of self-referential rule
2003-02-24 16:06 Purpose of self-referential rule Kelly Setzer
@ 2003-02-26 14:03 ` Joel Newkirk
2003-02-26 14:55 ` Kelly Setzer
2003-02-26 15:33 ` Alistair Tonner
2003-02-26 17:52 ` Del Winiecki
2 siblings, 1 reply; 5+ messages in thread
From: Joel Newkirk @ 2003-02-26 14:03 UTC (permalink / raw)
To: Kelly Setzer, netfilter
On Monday 24 February 2003 11:06 am, Kelly Setzer wrote:
> I've been experimenting with gShield trying to learn the ins and outs
> of iptables. One of the rules is generates is:
>
> iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j
> ACCEPT
>
> The source and dest are correct for my internal network, and eth1 is
> the internal net. My question is, when would the firewall ever see a
> packet that could possible match this? Any packet with a source and
> destination on the same network would send the packet directly (no
> routing, thus no firewall).
>
> What am I missing?
What's the IP of eth1? This is the INPUT chain, so it's for traffic
targeted at the firewall box itself. Having a destIP listed with a /24
is a little odd, though, unless you are DHCP assigned IP or some such
where it won't know the IP when the rule is generated, or it may change.
j
> thanks,
> Kelly
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Purpose of self-referential rule
2003-02-26 14:03 ` Joel Newkirk
@ 2003-02-26 14:55 ` Kelly Setzer
0 siblings, 0 replies; 5+ messages in thread
From: Kelly Setzer @ 2003-02-26 14:55 UTC (permalink / raw)
To: netfilter
On Wed, Feb 26, 2003 at 09:03:58AM -0500, Joel Newkirk wrote:
> On Monday 24 February 2003 11:06 am, Kelly Setzer wrote:
> > I've been experimenting with gShield trying to learn the ins and outs
> > of iptables. One of the rules is generates is:
> >
> > iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j
> > ACCEPT
> >
> > The source and dest are correct for my internal network, and eth1 is
> > the internal net. My question is, when would the firewall ever see a
> > packet that could possible match this?
> >
>
> What's the IP of eth1? This is the INPUT chain, so it's for traffic
> targeted at the firewall box itself. Having a destIP listed with a /24
> is a little odd, though, unless you are DHCP assigned IP or some such
> where it won't know the IP when the rule is generated, or it may change.
The eth1 interface has a statically assigned address of 192.168.6.1.
Another respondent mentioned that it's only use (as INPUT rule) would
be allow traffic directly to the firewall. DHCP is used to assign
addresses to windows clients on this network. In any case, it seems a
little weak to allow clients full access to the firewall - way too
open.
I suppose I should try removing the rule and seeing if anything
breaks.
thanks all,
Kelly
--
Kelly Setzer, System Administrator/Architect - Placemark Investments
14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
kelly.setzer@placemark.com http://www.placemark.com
(972)404-8100x41 (work) (214) 287-3464 (cell)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Purpose of self-referential rule
2003-02-24 16:06 Purpose of self-referential rule Kelly Setzer
2003-02-26 14:03 ` Joel Newkirk
@ 2003-02-26 15:33 ` Alistair Tonner
2003-02-26 17:52 ` Del Winiecki
2 siblings, 0 replies; 5+ messages in thread
From: Alistair Tonner @ 2003-02-26 15:33 UTC (permalink / raw)
To: Kelly Setzer, netfilter
Hi:
This rule would only really be invoked when in a packet left a system on the
internal network headed for the firewall box itself (presumably the firewall
has a valid network address on that segment.) -- however that rule is rather
loose, since it supposes that it is accepting a destination of the entire
segment, rather than for a specific IP on the firewall. This might be valid
if you had wireless lan tunnelling equipment that used the firewall as a
router, and the rule was in the forward chain. There was a discussion
recently about controlling access to MS shares in a public wireless lan, but
the solution was not in iptables, but in the wireless lan tunnelling
software.
What is the intent of the rule is perhaps the more appropriate question.
This would be appropriate for certain envrionments, but not in most.
Alistair Tonner
nerdnet.ca
Senior Systems Analyst - RSS
Any sufficiently advanced technology will have the appearance of magic.
Lets get magical!
On February 24, 2003 11:06 am, Kelly Setzer wrote:
> I've been experimenting with gShield trying to learn the ins and outs
> of iptables. One of the rules is generates is:
>
> iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j ACCEPT
>
> The source and dest are correct for my internal network, and eth1 is
> the internal net. My question is, when would the firewall ever see a
> packet that could possible match this? Any packet with a source and
> destination on the same network would send the packet directly (no
> routing, thus no firewall).
>
> What am I missing?
>
> thanks,
> Kelly
> --
> Kelly Setzer, System Administrator/Architect - Placemark Investments
> 14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
> kelly.setzer@placemark.com http://www.placemark.com
> (972)404-8100x41 (work) (214) 287-3464 (cell)
--
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Purpose of self-referential rule
2003-02-24 16:06 Purpose of self-referential rule Kelly Setzer
2003-02-26 14:03 ` Joel Newkirk
2003-02-26 15:33 ` Alistair Tonner
@ 2003-02-26 17:52 ` Del Winiecki
2 siblings, 0 replies; 5+ messages in thread
From: Del Winiecki @ 2003-02-26 17:52 UTC (permalink / raw)
To: netfilter
Kelly, typically you have a default route set on each machine on your
LAN, and that gateway address would be your linux router.
Yes, packets COULD be sent directly, but you'd have to reset the route
in your machine each time you wanted to point to a different machine.
So, the router IS routing all your traffic on the LAN in a normal setup.
So the line in iptables is useful. I use this kind of statement here
where I have 3 different companies sharing a fiber-optic line back to my
ISP. In your example, since its an INPUT statement, limits access to
machines on the 192.168.6.0/24 network assuming you have a DROP policy
for INPUT.
-Del
On Mon, 2003-02-24 at 09:06, Kelly Setzer wrote:
> I've been experimenting with gShield trying to learn the ins and outs
> of iptables. One of the rules is generates is:
>
> iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j ACCEPT
>
> The source and dest are correct for my internal network, and eth1 is
> the internal net. My question is, when would the firewall ever see a
> packet that could possible match this? Any packet with a source and
> destination on the same network would send the packet directly (no
> routing, thus no firewall).
>
> What am I missing?
>
> thanks,
> Kelly
> --
> Kelly Setzer, System Administrator/Architect - Placemark Investments
> 14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
> kelly.setzer@placemark.com http://www.placemark.com
> (972)404-8100x41 (work) (214) 287-3464 (cell)
^ permalink raw reply [flat|nested] 5+ messages in thread