httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Krist van Besien <krist.vanbes...@gmail.com>
Subject Re: [users@httpd] Different security based on network interface
Date Wed, 14 Sep 2005 06:17:19 GMT
On 9/14/05, Scott Gifford <sgifford@suspectclass.com> wrote:
> "AragonX" <aragonx@dcsnow.com> writes:
> 
> [...]
> 
> > I know that mod_access and I think mod_security will allow me to do this
> > but they do it based on IP address.  I'm afraid someone will spoof the IP
> > addresses of the internal network to bypass this security measure.
> 
> The easiest way to do this is with a firewall.  Set up a firewall on
> your external interface that blocks all packets claiming to be from
> your internal interface.  Your OS should have a tool to do this
> (iptables on modern Linux).  It's also smart to do this at your
> perimeter router; since lots of random things use IP addresses as
> access control it's wise to stop anything fishy before it gets into
> your building.

On Linux you don't need to add firewall rules. Just enable rp_filter.
On kernels > 2.6 you do this as follows:
   echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
for eth0... The kernel will now drop all packets on eth0 that should
never have arrived there in the first place.

Most linux distros do this out of the box with all their interfaces.

I asume that most other OS-es have similar facilities.

Krist

-- 
krist.vanbesien@gmail.com
Solothurn, Switzerland

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message