[Gllug] Routing question
Bruce Richardson
itsbruce at uklinux.net
Tue Apr 12 14:22:23 UTC 2005
On Tue, Apr 12, 2005 at 01:12:15PM +0100, Tom wrote:
> And now I can ping 192.168.0.13 from another local host - and don't
> understand why / is there any way to avoid that? I suppose I imagined
> the interfaces kept themselves separate.
This is because of a "feature" in Linux ARP. The Linux network gods
have been defending this abuse of the RFCs forever, but it is a stupid,
senseless security hole. What is happening is that when the second box
sends out an ARP "who-has 192.168.0.13", the first box is answering. By
default, Linux boxes will answer ARP queries for any of their ip
addresses on any of their interfaces (with the exception of any
addresses assigned to the loopback interface). So if you have a
gateway/firewall box with an external, public interface and an
internal, private one, anyone who has access to a machine on the public
subnet (e.g. your ISP's router) can find out what the address on the
internal interface is just by sending ARP queries until they get a
response.
You can turn it off but if the feature should be there at all, it should
be off by default.
--
Bruce
I unfortunately do not know how to turn cheese into gold.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20050412/7abae227/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list