On Mon, Dec 10, 2001 at 01:50:19AM +0100, Guido Hennecke wrote: > With ipchains you can make the following: > > ipchains -A input -i ! eth1 -d 192.168.0.1 -j DENY
What this says is: all packets with destination 192.168.0.1 must not have come from eth1 or they will be denied. Why do you choose to specify the rule this way and not like this: ipchains -A input -i eth0 ! -d 192.168.0.1 -j DENY In other words: all packets coming from eth0 must have destination 192.168.0.1 or they will be denied? Please explain. Is it because you may later want to put your ethernet card into promiscuous mode and thus receive packets with any destination as if they were for you? My rule above would prevent this whereas your rule would not. Both rules would prevent the attacker trying to circumvent the sshd bound IP address restriction however. Can you explain why you choose your rule. Cheers. Mark.
msg04727/pgp00000.pgp
Description: PGP signature