> On Sat, 13 Jul 2002, David S. Miller wrote:
>
> >
> > You have to use specific source-routing settings in conjuntion with
> > enabling arp_filter in order for arp_filter to have any effect.
> >
> > This is a FAQ.
>
> a couple google queries yielded no answer to this faq... is there a posted
> example somewhere?
Clearly FAQ means frequently asked, not answered. I can't find the
appropriate patch, clearly some people regard allowing source routing to
be a benefit.
> is the default behaviour of use to anyone? this question comes up like
> every other month.
Yes, it's useful to hackers to send a packet to your external interface
with the address of your internal internal interface, if the packet is
accepted it might bypass some of your firewall protections. I assume the
source routing settings David mentions are the normal "if the destination
IP is not this machine log and drop the packet." With a few possible
exceptions for packets other than normal tcp/udp. That's why the bogus arp
is harmeful, the requestor then tries to use the mac address for the wrong
IP and the packets just get dropped by the firewall code.
Like you, I can't see why it would be anything but a bug to do what is
essentially proxy arp by default.
-- bill davidsen <davidsen@tmr.com> CTO, TMR Associates, Inc Doing interesting things with little computers since 1979.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/