Subject: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.
To: Darren Reed <darrenr@reed.wattle.id.au>
From: Andrew Brown <atatat@atatdot.net>
List: tech-net
Date: 05/05/2000 23:28:20
>Looking at the top 10 old PR's which have not been closed, 991 (one that
>I'm responsible for :) is now there...and I think it is well past the
>time when it should be delt with (there's been enough discussion about
>it both in GNATS and here :)
>
>The patch below introduces net.inet.ip.strictdest and I've set it up to
>default to the value of 1 - i.e. to enforce IP#'s to match interfaces.
i think the concensus the last time this went around was that this
could be done by people that wanted via ipfilter. a script (perl or
sh, i guess) should be able to generate the rules required for this
rather easily.
on the other hand...now that i have your attention, is "operator
intelligence" the only protection against something like
pass in quick on lo0 to lo0 from any to any
??? i just tried it to see if it would lock up the machine. and how!
--
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org * "ah! i see you have the internet
twofsonet@graffiti.com (Andrew Brown) that goes *ping*!"
andrew@crossbar.com * "information is power -- share the wealth."