On Sat, Mar 02, 2002 at 04:21:24PM -0800, erich@uruk.org wrote:
> The fact that the routing layer and application layers of Linux's
> TCP/IP stack are one and the same is a difficulty here which the
> IP firewalling code in Linux does not fix. I.e. if I wanted to
> have routing as well, but not accept any packets internally *not*
> destined for my interface, I'm not sure how to specify it without
> something like TCP wrappers, as sleazy as they can be, and they
> don't offer this kind of capability in general as is.
Linux 2.4 netfilter:
Incoming Outgoing
interface interface
----+------------------- FORWARD -----------------+------->
| ^
v |
INPUT -------------> Application -----------> OUTPUT
The names in capitals are the names of the tables. You can control
packets that the local machine sees completely independently of what
gets routed through the machine with a kernel supporting iptables
by adding the appropriate rules to the input and forward tables.
--
Russell King (rmk@arm.linux.org.uk) The developer of ARM Linux
http://www.arm.linux.org.uk/personal/aboutme.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Mar 07 2002 - 21:00:25 EST