Re: two ethernet without routing
On Wed, 13 Mar 2002, Stephane Bortzmeyer wrote: > On Wed, Mar 13, 2002 at 10:38:53AM -0800, > Jeremy C. Reed <[EMAIL PROTECTED]> wrote > a message of 37 lines which said: > > > You shouldn't have to setup a firewall as a workaround either. If your NIC > > card is configured for a particular IP and you want to stop it, then > > simply unplugging the ethernet cable should do it. > > No Unix work that way. RFC 1122: strong ES model. (His problem is Linux's weak "End System" model.) For example, FreeBSD offers sysctl (net.inet.ip.check_interface) for verifying that an incoming packet arrives on an interface that has an address matching the packet's destination address. I know other Unixes also offer this. I assume that a patch is available for Linux kernel to also provide this. Jeremy C. Reed ... ISP-FAQ.com -- find answers to your questions http://www.isp-faq.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: two ethernet without routing
On Wed, Mar 13, 2002 at 10:38:53AM -0800, Jeremy C. Reed <[EMAIL PROTECTED]> wrote a message of 37 lines which said: > You shouldn't have to setup a firewall as a workaround either. If your NIC > card is configured for a particular IP and you want to stop it, then > simply unplugging the ethernet cable should do it. No Unix work that way. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: two ethernet without routing
On Wed, 13 Mar 2002, Russell Coker wrote: > On Wed, 13 Mar 2002 12:56, Bart-Jan Vrielink wrote: > > This behaviour is not routing. The server is not 'moving' a packet from > > one subnet to the other subnet. It is only just listening for every ip > > it knows on every interface. > > > > Use a firewall on the server to block unwanted connections (or better, > > use a firewall to only allow wanted connections) > > Or just configure which interfaces you want Apache to listen to, it's the > "Listen" directive you want, see the Apache docs. Is it normal or correct behaviour for an interface to listen to IPs that it is not configured for? (Yes, I do know it is normal for services, like httpd, to listen to 0.0.0.0.) The packets shouldn't get to Apache in the first place. You shouldn't have to setup a firewall as a workaround either. If your NIC card is configured for a particular IP and you want to stop it, then simply unplugging the ethernet cable should do it. Josep, are you testing this locally from same machine or over the network? Jeremy C. Reed ... ISP-FAQ.com -- find answers to your questions http://www.isp-faq.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: two ethernet without routing
On Wed, 13 Mar 2002 12:56, Bart-Jan Vrielink wrote: > This behaviour is not routing. The server is not 'moving' a packet from > one subnet to the other subnet. It is only just listening for every ip > it knows on every interface. > > Use a firewall on the server to block unwanted connections (or better, > use a firewall to only allow wanted connections) Or just configure which interfaces you want Apache to listen to, it's the "Listen" directive you want, see the Apache docs. -- If you send email to me or to a mailing list that I use which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: two ethernet without routing
On Wed, 2002-03-13 at 12:16, [EMAIL PROTECTED] wrote: > Well, there some kind of routing even: > > /etc/network/options: > ip_forward=no > > was already done. > I still can connet to my server through both IP's even the eth1 has no cable > connected. This behaviour is not routing. The server is not 'moving' a packet from one subnet to the other subnet. It is only just listening for every ip it knows on every interface. Use a firewall on the server to block unwanted connections (or better, use a firewall to only allow wanted connections) > From: "Stephane Bortzmeyer" <[EMAIL PROTECTED]> > > On Wed, Mar 13, 2002 at 11:27:31AM +0100, > > [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote > > a message of 18 lines which said: > > > > > How can I deactivate the routing option betwen cards? > > > > /etc/network/options: > > > > ip_forward=no > > > > Check with 'cat /proc/sys/net/ipv4/ip_forward'. > > > > > There have to be some kind of routing now because I can connect to my > apache > > > typing the two IPs even I've just one cable connected to eth0. > > > > Wrong analysis. As soon as the machine receives a packert with one of > > its IP addresses as the destination, it will handle it (even if it > > does not come from the "right" network card). -- Tot ziens, Bart-Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: two ethernet without routing
On Wed, 2002-03-13 at 12:27, Jean-Marc V. Liotier wrote: > On Wed, 2002-03-13 at 11:27, [EMAIL PROTECTED] wrote: > > > > There have to be some kind of routing now because I can connect to my apache > > typing the two IPs even I've just one cable connected to eth0. > > You have to explicitely block and log spoof attempts. For example, if > you have eth0 on 192.168.0.0/24 and eth1 on 192.168.1.0/24 > > /sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j LOG > /sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP > /sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j LOG > /sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j DROP > > This way packets will only be accepted if they come in through the > "right" interface, and you will be alerted if some don't. Actually, the previous commands assume that the entire universe is only made from the two example subnets. The following one is more realistic : # If a packet comes to eth0 and it's source is not 192.168.1.0/24 # then drop it and log it. /sbin/iptables -A INPUT -i eth1 -s ! 192.168.1.0/24 -j LOG /sbin/iptables -A INPUT -i eth1 -s ! 192.168.1.0/24 -j DROP # Same for the other interface/subnet couple. /sbin/iptables -A INPUT -i eth0 -s ! 192.168.0.0/24 -j LOG /sbin/iptables -A INPUT -i eth0 -s ! 192.168.0.0/24 -j DROP signature.asc Description: This is a digitally signed message part
Re: two ethernet without routing
On Wed, 2002-03-13 at 11:27, [EMAIL PROTECTED] wrote: > > There have to be some kind of routing now because I can connect to my apache > typing the two IPs even I've just one cable connected to eth0. You have to explicitely block and log spoof attempts. For example, if you have eth0 on 192.168.0.0/24 and eth1 on 192.168.1.0/24 /sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j LOG /sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP /sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j LOG /sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j DROP This way packets will only be accepted if they come in through the "right" interface, and you will be alerted if some don't. signature.asc Description: This is a digitally signed message part
Re: two ethernet without routing
Well, there some kind of routing even: /etc/network/options: ip_forward=no was already done. cat /proc/sys/net/ipv4/ip_forward returns 0 My inerfaces file: iface eth0 inet static address 192.168.1.27 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.2 iface eth1 inet static address 192.168.1.28 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 I still can connet to my server through both IP's even the eth1 has no cable connected. Thanks Josep - Original Message - From: "Stephane Bortzmeyer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, March 13, 2002 11:45 AM Subject: Re: two ethernet without routing > On Wed, Mar 13, 2002 at 11:27:31AM +0100, > [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote > a message of 18 lines which said: > > > How can I deactivate the routing option betwen cards? > > /etc/network/options: > > ip_forward=no > > Check with 'cat /proc/sys/net/ipv4/ip_forward'. > > > There have to be some kind of routing now because I can connect to my apache > > typing the two IPs even I've just one cable connected to eth0. > > Wrong analysis. As soon as the machine receives a packert with one of > its IP addresses as the destination, it will handle it (even if it > does not come from the "right" network card). > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: two ethernet without routing
On Wed, Mar 13, 2002 at 11:27:31AM +0100, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote a message of 18 lines which said: > How can I deactivate the routing option betwen cards? /etc/network/options: ip_forward=no Check with 'cat /proc/sys/net/ipv4/ip_forward'. > There have to be some kind of routing now because I can connect to my apache > typing the two IPs even I've just one cable connected to eth0. Wrong analysis. As soon as the machine receives a packert with one of its IP addresses as the destination, it will handle it (even if it does not come from the "right" network card). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]