Date: Thu, 14 Feb 2002 19:19:06 +0200 From: Ruslan Ermilov <ru@FreeBSD.org> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: net@FreeBSD.org Subject: Re: rdr 127.0.0.1 and blocking 127/8 in ip_output() Message-ID: <20020214191906.A7309@sunbay.com> In-Reply-To: <200202141639.g1EGdbS06007@khavrinen.lcs.mit.edu> References: <20020213110347.C46245@sunbay.com> <200202131550.g1DFoDh41696@khavrinen.lcs.mit.edu> <20020213175851.A22977@sunbay.com> <3C6AFD6D.9ED1190A@mindspring.com> <20020214110941.A30024@sunbay.com> <200202141639.g1EGdbS06007@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
[Redirected to -net] On Thu, Feb 14, 2002 at 11:39:37AM -0500, Garrett Wollman wrote: > <<On Thu, 14 Feb 2002 11:09:41 +0200, Ruslan Ermilov <ru@FreeBSD.ORG> said: > > > ping -s 127.1 1.2.3.4 > > telnet -S 127.1 1.2.3.4 > > If someone explicitly overrides source-address selection, they are > presumed to know WTF they are doing, and the kernel should not be > trying to second-guess them. > That "someone" could be a bad guy playing dirty games with your box and certainly knowing what he's doing. :-) So far, noone gave me a real example where using of net 127 outside loopback would be useful. If there such an example exists, we should wrap all three checks into a sysctl, including ip_input(), ip_output(), and in_canforward() parts, where ip_input() exists for almost a year, and in_canforward() existed since 1987. -- Ruslan, who just wants a consistency here. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020214191906.A7309>