My Linux server is behind a router/firewall doing NAT.
I have a page that accepts requests, and the only valid originators of
that request are on the local network (actually they happen to be on
the same box currently), also behind the router. However, the
AOLserver serving that page also does
On Tue, Aug 19, 2003 at 10:18:43AM -0500, Rob Mayoff wrote:
In fact there are four address-filtering rules your router should use:
- Drop a packet from the WAN with a LAN source address
- Drop a packet from the WAN without a LAN destination address
- Drop a packet from the LAN without a LAN
Spoofing [ns_conn peeraddr] at the IP level is difficult if your
platform has random enough IP initial sequence numbers, and can be
blocked at your router with an explicit rule to drop inbound packets on
the WAN interface that have a source address on your LAN.
There has also been talk on the list
+-- On Aug 20, russm said:
| There has also been talk on the list of having [ns_conn peeraddr]
| return the address in the X-Forwarded-For: header (if one exists).
I don't think anyone is pushing for XFF to be honored by default.
--
AOLserver - http://www.aolserver.com/
To Remove