extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-07 16:24:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Mention 'weak host model' in the Fool's firewall article

Browse Source
This commit is contained in:
Tom Eastep 2010-11-27 11:14:51 -08:00
parent 681529b664
commit 095345f95c
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/FoolsFirewall.xml
View File

@ -62,7 +62,7 @@
<para>Because Fool's firewall is not physically located between the net
and the local systems, the local systems are exposed to all of the systems
in the same broadcast domain. Because the local systems (expecially those
in the same broadcast domain. Because the local systems (especially those
running Windows) send broadcasts, those systems can be easily detected by
using a packet sniffer. Once the systems have been spotted, it is child's
play to add an IP address in Fool's internal IP network and bypass his
@ -74,8 +74,10 @@
<section>
<title>ARP Roulette</title>
<para>The Linux IP stack exhibits some unexpected behavior with respect to
ARP. It will respond to ARP 'who-has' requests received on
<para>The Linux IP stack implements the <ulink
url="http://en.wikipedia.org/wiki/Host_model">weak host model.</ulink> As
a result, it exhibits some unexpected behavior with respect to ARP. It
will respond to ARP 'who-has' requests received on
<emphasis>any</emphasis> interface and not just on the interface owning
the address. So when the upstream router sends a 'who-has' request for
Fool's external IP address, the response may come from his