On Thursday 31 January 2002 09:21, Steffen Dettmer wrote:
* Sebastian J. Bronner wrote on Wed, Jan 30, 2002 at 02:03 -1000:
On Tuesday 29 January 2002 23:15, Steffen Dettmer wrote:
Huh?! The example tells, "eth0:0" is a device? I think it's only some syntax for ifconfig and similar tools. There is no difference between eth0:0 and eth0 execpt the IP.
So the poster can filter on destination address, rather than interface, if the netfilter code doesn't understand eth0:0 aliasing.
Yes, you're right, not very constructive saying. But this is not entirely wrong. Single-NIC firewalls are no real firewalls, since they are not able to really drop any packets, since it's the same wire.
They're not entirely useless though, so long as he can be sure of the address allocation of the protected hosts. A virtual subnet, can be a useful stepping stone towards a cleaner configuration, it's better than doing nothing. As for collisions, if he has a full duplex connection on a switching hub, that is hardly going to be a problem.
like "--source $home --dest ! $home --dev device"? In this case, the device usually shouldn't matter at all. I don't think it's
Choose either rules based on addresses, or rules based on devices, but be consistent. Rob