From owner-freebsd-net  Mon Feb 18 19:15:13 2002
Delivered-To: freebsd-net@freebsd.org
Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26])
	by hub.freebsd.org (Postfix) with ESMTP
	id B7D5937B402; Mon, 18 Feb 2002 19:15:06 -0800 (PST)
Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20])
	by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id TAA69596;
	Mon, 18 Feb 2002 19:03:24 -0800 (PST)
Received: (from archie@localhost)
	by arch20m.dellroad.org (8.11.6/8.11.6) id g1J32m991795;
	Mon, 18 Feb 2002 19:02:48 -0800 (PST)
	(envelope-from archie)
From: Archie Cobbs <archie@dellroad.org>
Message-Id: <200202190302.g1J32m991795@arch20m.dellroad.org>
Subject: Re: rdr 127.0.0.1 and blocking 127/8 in ip_output()
In-Reply-To: <20020214191906.A7309@sunbay.com> "from Ruslan Ermilov at Feb 14,
 2002 07:19:06 pm"
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Date: Mon, 18 Feb 2002 19:02:48 -0800 (PST)
Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, net@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL88 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Ruslan Ermilov writes:
> > > ping -s 127.1 1.2.3.4
> > > telnet -S 127.1 1.2.3.4
> > 
> > If someone explicitly overrides source-address selection, they are
> > presumed to know WTF they are doing, and the kernel should not be
> > trying to second-guess them.
> > 
> That "someone" could be a bad guy playing dirty games with your box and
> certainly knowing what he's doing.  :-)
> 
> So far, noone gave me a real example where using of net 127 outside
> loopback would be useful.  If there such an example exists, we should
> wrap all three checks into a sysctl, including ip_input(), ip_output(),
> and in_canforward() parts, where ip_input() exists for almost a year,
> and in_canforward() existed since 1987.

No example is required. The kernel should not be implementing what
is essentially a policy decision.

Note that the RFC you are holding up as gospel talks about hosts
on THE Internet, not hosts on some private test network. You assume
too much by assuming that all hosts running FreeBSD are connected
directly to the Internet.

By your argument, the kernel should also block admin attempts to
configure RFC 1918 addresses (10.x.x.x, 192.168.x.x, etc.) on an
interface. That would put a lot of people behind NAT boxes out of
business.

If someone intentionally configures their machine in an unconventional
way, why automatically assume they are doing something wrong?

My vote is to not have any special cases in the kernel for 127/8...
rc.conf, rc.network, rc.firewall, et. al. is fine, but nothing
in the kernel.

-Archie

__________________________________________________________________________
Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message