On Wed, Mar 15, 2023 at 03:35:18PM +0100, krys...@ibse.cz wrote: > Dne středa 15. března 2023 12:55:55 CET, Henning Follmann napsal(a): > > This is indeed not right. > > Please try to ping any other host on the 192.168.1.0/24 network from > > 192.168.0.0/24 network. This might be just the case that the host with the > > two interfaces replies on any interface independent of the network. > > Pinging to other hosts on that network does not work - forwarding is > disabled, which is the default. My point is that when I have a server which > has management interface on VLAN for example, and some client sets default > route to that server and tries to access the management address, he will get > there if no input interface is set on firewall. The managemwent is not the > problem since it usualy is accessible only through one interface on one > specific address, but when I want to enable ICMP for example on multiple > interfaces from multiple networks, it gets kind of exhauseting. I was > wondering if it is possible to prevent this behavior through modification of > kernel network stack, but did find nothing other than rp_filter which checks > source address of packets but not the destination one. >
Seriously, please format your text to make it more readable. Use your return key! Or at least set your editor's wrap length. What you are looking for, I think, is net.ipv4.conf.default.rp_filter=1 in /etc/sysctl.conf. -H -- Henning Follmann | hfollm...@itcfollmann.com
