Date: Mon, 18 Feb 2002 19:02:48 -0800 (PST) From: Archie Cobbs <archie@dellroad.org> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, net@FreeBSD.ORG Subject: Re: rdr 127.0.0.1 and blocking 127/8 in ip_output() Message-ID: <200202190302.g1J32m991795@arch20m.dellroad.org> In-Reply-To: <20020214191906.A7309@sunbay.com> "from Ruslan Ermilov at Feb 14, 2002 07:19:06 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Ruslan Ermilov writes: > > > ping -s 127.1 1.2.3.4 > > > telnet -S 127.1 1.2.3.4 > > > > If someone explicitly overrides source-address selection, they are > > presumed to know WTF they are doing, and the kernel should not be > > trying to second-guess them. > > > That "someone" could be a bad guy playing dirty games with your box and > certainly knowing what he's doing. :-) > > So far, noone gave me a real example where using of net 127 outside > loopback would be useful. If there such an example exists, we should > wrap all three checks into a sysctl, including ip_input(), ip_output(), > and in_canforward() parts, where ip_input() exists for almost a year, > and in_canforward() existed since 1987. No example is required. The kernel should not be implementing what is essentially a policy decision. Note that the RFC you are holding up as gospel talks about hosts on THE Internet, not hosts on some private test network. You assume too much by assuming that all hosts running FreeBSD are connected directly to the Internet. By your argument, the kernel should also block admin attempts to configure RFC 1918 addresses (10.x.x.x, 192.168.x.x, etc.) on an interface. That would put a lot of people behind NAT boxes out of business. If someone intentionally configures their machine in an unconventional way, why automatically assume they are doing something wrong? My vote is to not have any special cases in the kernel for 127/8... rc.conf, rc.network, rc.firewall, et. al. is fine, but nothing in the kernel. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202190302.g1J32m991795>