From: Kelly Setzer <Kelly.Setzer@placemark.com>
To: netfilter@lists.netfilter.org
Subject: Re: Purpose of self-referential rule
Date: Wed, 26 Feb 2003 08:55:48 -0600 [thread overview]
Message-ID: <20030226145548.GC28230@placemark.com> (raw)
In-Reply-To: <200302260903.58241.netfilter@newkirk.us>
On Wed, Feb 26, 2003 at 09:03:58AM -0500, Joel Newkirk wrote:
> On Monday 24 February 2003 11:06 am, Kelly Setzer wrote:
> > I've been experimenting with gShield trying to learn the ins and outs
> > of iptables. One of the rules is generates is:
> >
> > iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j
> > ACCEPT
> >
> > The source and dest are correct for my internal network, and eth1 is
> > the internal net. My question is, when would the firewall ever see a
> > packet that could possible match this?
> >
>
> What's the IP of eth1? This is the INPUT chain, so it's for traffic
> targeted at the firewall box itself. Having a destIP listed with a /24
> is a little odd, though, unless you are DHCP assigned IP or some such
> where it won't know the IP when the rule is generated, or it may change.
The eth1 interface has a statically assigned address of 192.168.6.1.
Another respondent mentioned that it's only use (as INPUT rule) would
be allow traffic directly to the firewall. DHCP is used to assign
addresses to windows clients on this network. In any case, it seems a
little weak to allow clients full access to the firewall - way too
open.
I suppose I should try removing the rule and seeing if anything
breaks.
thanks all,
Kelly
--
Kelly Setzer, System Administrator/Architect - Placemark Investments
14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
kelly.setzer@placemark.com http://www.placemark.com
(972)404-8100x41 (work) (214) 287-3464 (cell)
next prev parent reply other threads:[~2003-02-26 14:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-24 16:06 Purpose of self-referential rule Kelly Setzer
2003-02-26 14:03 ` Joel Newkirk
2003-02-26 14:55 ` Kelly Setzer [this message]
2003-02-26 15:33 ` Alistair Tonner
2003-02-26 17:52 ` Del Winiecki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030226145548.GC28230@placemark.com \
--to=kelly.setzer@placemark.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox