[clug] Enforce SSH tunnel to squid proxy

Martin Pool mbp at samba.org
Tue Sep 23 17:11:58 EST 2003

On 23 Sep 2003, Sam Couter <sam at couter.dropbear.id.au> wrote:
> Ian Perry <nightweaver at thebhg.org> wrote:
> > Can you bind squid to instead?
> Wasn't there a big fuss a while back about Linux letting network packets
> at any interface, even if they didn't come from a network connected to
> that interface? If I'm remembering it correctly, binding to
> won't change anything if there's another network interface active.

The 'spoof protect' / rp_filter checks that packets only come in on
the expected interface, where 'expected' is determined by the route

However, even if this check is disabled, it would not be possible to
establish a TCP connection because the acknowledgements would go out
the lo interface.

In normal use if you listen on localhost, you will only see
connections from localhost.  If you're worried it is easy to test.


More information about the linux mailing list