Re: Is source address selection based on rules (netfilter) possible ?



David Brown a écrit :
On 30/08/2010 10:58, Pascal Hambourg wrote:

I still see a problem in this situation : the security relies on proper
routing setup of third parties, usually the ISP's routers. However I
admit that the chances the ISP's routers are misconfigured or
compromised are quite tiny. But in some ISP topologies, multiple
customers share the same link layer thus can communicate directy with
one another without involving any ISP router. Such topology has at least
existed in some cable ISPs.

Yes, I can see that could be a problem - a malicious "neighbour" on the
same link layer could send packets through your NAT router by directly
addressing the internal addresses.

Correct. This could also happen in another situation : a hosted
dedicated server running virtual machines with private addresses and
acting as a NAT router for them. Other (possibly compromised) dedicated
servers in the same subnet could send packets if the hosting service's
switches don't perform layer 3 filtering.
.