Bugtraqmailing list archives
Re: Linux kernel 2.4 "weak end host" issue Explained
From: "Matthew G. Marsh" <mgm () paktronix com>
Date: Tue, 14 May 2002 09:47:22 -0500 (CDT)
Note to Moderator: I can provide a more detailed explanation for thecommands cited below but feel it may not be of interest to the broaderpublic. If you would prefer.-----On Thu, 9 May 2002, Felix von Leitner wrote:
A service bound to the IP of eth1 is still visible from eth0.This is not an RFC violation (RFC1122 calls this "weak end host"), butit is unexpected for most Linux users, and the very reason why peoplebind a service to the IP of a specific network interface usually is tomake sure it can only be used from that interface (DHCP, samba, squidand intranet web servers come to mind).
Any Linux users who think this way are sadly misinformed as to how IPv4works in general. This is expected and normal behaviour for Linux. Statingotherwise reveals a deep disregard for the variety of structure anddefinition of IPv4 and an assumption that there is only one true way.Bluntly put - the world is not BSD nor is it Microsoft. Read the RFCs andlearn how IPv4 works.IP adresses have nothing to do with physical interfaces. An IP address (orindeeed any generalized location structure name) defines the contact pointfor a service. All references to binding exist due to this fundamentalfact of addressing. That is why ARP exists in the first place. ARP is aprotocol to allow communication over Layer 2 (DataLink) to occur asrequired (think raw ethernet/token ring) between a Service and Requestor.
This is not an ARP issue. Making the kernel stop answering to ARPrequests will not make it harder for an attacker to reach the service.
Correct. [snip]
There is a Linuxspecific kludge^Whack^Wmethod to bind to an interface, but I am notaware of any software using it. If you have multi homed hosts and relyon a service bound to eth1 not being visible to eth0, you need to usenetfilter or this patch!
No. Due to the unparalleled scope and breadth of Linux IPv4 networking yousimply can change the behaviour through routing. Example:eth0 = 1.1.1.1/24eth1 = 2.2.2.2/24ip rule add from 1.1.1.1/32 dev lo table 1 prio 15000ip rule add from 2.2.2.2/32 dev lo table 2 prio 16000ip route add default dev eth0 table 1ip route add default dev eth1 table 2If anyone would like more detailed explanations of this subject pleasefeel free to email me. Linux IPv4 routing contains a wealth of power underthe hood.
Felix
--------------------------------------------------Matthew G. Marsh, PresidentPaktronix Systems LLC1506 North 59th StreetOmaha NE 68104Phone: (402) 932-7250 x101Email: mgm () paktronix comWWW:http://www.paktronix.com--------------------------------------------------
Current thread:
- Linux kernel 2.4 "weak end host" issue (previously discussed here as "arp problem")Felix von Leitner (May 10)
- Re: Linux kernel 2.4 "weak end host" issue (previously discussed here as "arp problem")Dax Kelson (May 11)
- Re: Linux kernel 2.4 "weak end host" issue ExplainedMatthew G. Marsh (May 14)