Iptables initialization

Dagmar d'Surreal dagmar.wants at nospam.com
Sat Feb 14 09:12:36 PST 2004


On Sat, 2004-02-14 at 11:05, Robert Connolly wrote:

> A software bridge will pass arp strait threw unless the firewall knows what 
> arp is. Same should be true for many protocols. In the case of selinux, it 
> doesn't know what ipv6 is (at least this used to be true), so it ignores it 
> and lets ipv6 do whatever it wants. Unknown protocols tend to be passed by 
> default.

ARP isn't going to go through a firewall because ARP doesn't have
routing *hinthint*.  The firewall has to have routing instructions for a
particular protocol, of it's just not going to go through and come out
the other side.  Unknown protocols are only passed by default if you are
ignoring the principle of least privilege (again, "that which is not
explicitly allowed is denied by default).

If you're not going to research this further then just take my word on
the ARP thing.  I'm very familiar with ARP trickery and one of my more
favorite stunts to do is show people how to make their firewall use no
public IPs whatsoever (which also has the nice side-effect of making the
firewall utterly untouchable outside of it's two local networks).
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list