[clug] Firewall rules for CentOS 4.4

Sam Couter sam at couter.id.au
Sat Mar 10 09:10:15 GMT 2007

Ben <shadroth at gmail.com> wrote:
> I thought that by having separate NICs on separate networks, each with
> their own subnet would address this issue, but if someone sets up a
> 192.168.2.x address on the same network as eth0 (and anyone could do
> this), I was told there might be a possiblity of them doing something
> to the NFS share intended for the subnet.

The kernel should drop any packet if the incoming interface isn't the
same interface the kernel would route a reply packet back out of, so
those firewall rules won't change anything.

This used to be an option that was off by default, but I believe it's
now on by default. The option is called spoof protection.
Sam Couter         |  mailto:sam at couter.id.au
                   |  jabber:sam at teknohaus.dyndns.org
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/linux/attachments/20070310/ab8a7670/attachment.bin

More information about the linux mailing list