Date: Thu, 04 Nov 2021 19:10:37 +0000 From: Jamie Landeg-Jones <jamie@catflap.org> To: jamie@catflap.org, freebsd-rwg@gndrsh.dnsmgr.net Cc: shuriku@shurik.kiev.ua, freebsd-net@FreeBSD.org Subject: Re: netmask for loopback interfaces Message-ID: <202111041910.1A4JAbY2016855@donotpassgo.dyslexicfish.net> In-Reply-To: <202111041430.1A4EUPOe029661@gndrsh.dnsmgr.net> References: <202111041430.1A4EUPOe029661@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> wrote:
> > Note, the default FreeBSD firewall rules already have:
> >
> > ${fwcmd} add 100 pass all from any to any via lo0
> > ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
>
> Which no longer work correctly since the "to 127.0.0.0/8"
> packets SHALL go out what ever interface the route table
> tells them to (often the default route), AND NOT lo0.
>
> oot {1003}# route -n get 127.1.1.1
> route to: 127.1.1.1
> destination: 0.0.0.0
> mask: 0.0.0.0
> gateway: 192.168.32.8
> fib: 0
> interface: em0
Hi!
I'm not sure what you mean. The current default rules will stop
anything to 127.0.0.0/8 going anywhere other than via lo0 -
which preserves "current expected behaviour" - I was pointing
out that in reply to Oleksandr's comment:
| /8 mask on loopback prevetnts using of 127.x.x.x network anywhere
| outside of the localhost. This described in RFC 5735 [1] and 1122 [2]
His argument was that putting an /8 on the localhost address would
neatly stop 127/8 traffic going to the LAN - I was pointing out there
are other ways to do this, i.e. routing, and the firewall.
Of course, if FreeBSD relaxes to allow the use of 128/8 outside 128/16,
then these rules will need to be changed..
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202111041910.1A4JAbY2016855>