summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2009-03-12 09:20:02 -0700
committerStephen Hemminger <stephen.hemminger@vyatta.com>2009-03-12 09:20:02 -0700
commita76180820eb08f3957ab36e25cada8ab0f0ccc5d (patch)
tree3c522b85c14f5d9b0323a2d0ab30b603c42016cd
parente2c1d71f7e57956a01959846178bb132d68d14f6 (diff)
downloadvyatta-cfg-firewall-a76180820eb08f3957ab36e25cada8ab0f0ccc5d.tar.gz
vyatta-cfg-firewall-a76180820eb08f3957ab36e25cada8ab0f0ccc5d.zip
Enable strict host matching
Bug 4061 Host (INPUT) chain will only accept packets where destination address matches address on incoming interface.
-rw-r--r--scripts/firewall/firewall.init.in6
1 files changed, 5 insertions, 1 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in
index 5904a3d..4d8608f 100644
--- a/scripts/firewall/firewall.init.in
+++ b/scripts/firewall/firewall.init.in
@@ -56,7 +56,11 @@ start () {
# set up post-firewall hook
iptables -N VYATTA_POST_FW_HOOK
iptables -A VYATTA_POST_FW_HOOK -j ACCEPT
- iptables -A INPUT -j VYATTA_POST_FW_HOOK
+
+ # enforce strict host matching (see bug 4061)
+ iptables -P INPUT -j DROP
+ iptables -A INPUT -m strict -j VYATTA_POST_FW_HOOK
+
iptables -A FORWARD -j VYATTA_POST_FW_HOOK
# set up pre-SNAT hook