diff options
author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2009-03-12 09:20:02 -0700 |
---|---|---|
committer | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2009-03-12 09:20:02 -0700 |
commit | a76180820eb08f3957ab36e25cada8ab0f0ccc5d (patch) | |
tree | 3c522b85c14f5d9b0323a2d0ab30b603c42016cd | |
parent | e2c1d71f7e57956a01959846178bb132d68d14f6 (diff) | |
download | vyatta-cfg-firewall-a76180820eb08f3957ab36e25cada8ab0f0ccc5d.tar.gz vyatta-cfg-firewall-a76180820eb08f3957ab36e25cada8ab0f0ccc5d.zip |
Enable strict host matching
Bug 4061
Host (INPUT) chain will only accept packets where destination address
matches address on incoming interface.
-rw-r--r-- | scripts/firewall/firewall.init.in | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in index 5904a3d..4d8608f 100644 --- a/scripts/firewall/firewall.init.in +++ b/scripts/firewall/firewall.init.in @@ -56,7 +56,11 @@ start () { # set up post-firewall hook iptables -N VYATTA_POST_FW_HOOK iptables -A VYATTA_POST_FW_HOOK -j ACCEPT - iptables -A INPUT -j VYATTA_POST_FW_HOOK + + # enforce strict host matching (see bug 4061) + iptables -P INPUT -j DROP + iptables -A INPUT -m strict -j VYATTA_POST_FW_HOOK + iptables -A FORWARD -j VYATTA_POST_FW_HOOK # set up pre-SNAT hook |