From owner-freebsd-current  Thu Feb 14  9:19:50 2002
Delivered-To: freebsd-current@freebsd.org
Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65])
	by hub.freebsd.org (Postfix) with ESMTP
	id 19A9737B405; Thu, 14 Feb 2002 09:19:32 -0800 (PST)
Received: (from ru@localhost)
	by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g1EHJ6209330;
	Thu, 14 Feb 2002 19:19:06 +0200 (EET)
	(envelope-from ru)
Date: Thu, 14 Feb 2002 19:19:06 +0200
From: Ruslan Ermilov <ru@FreeBSD.org>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: net@FreeBSD.org
Subject: Re: rdr 127.0.0.1 and blocking 127/8 in ip_output()
Message-ID: <20020214191906.A7309@sunbay.com>
References: <20020213110347.C46245@sunbay.com> <200202131550.g1DFoDh41696@khavrinen.lcs.mit.edu> <20020213175851.A22977@sunbay.com> <3C6AFD6D.9ED1190A@mindspring.com> <20020214110941.A30024@sunbay.com> <200202141639.g1EGdbS06007@khavrinen.lcs.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200202141639.g1EGdbS06007@khavrinen.lcs.mit.edu>
User-Agent: Mutt/1.3.23i
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

[Redirected to -net]

On Thu, Feb 14, 2002 at 11:39:37AM -0500, Garrett Wollman wrote:
> <<On Thu, 14 Feb 2002 11:09:41 +0200, Ruslan Ermilov <ru@FreeBSD.ORG> said:
> 
> > ping -s 127.1 1.2.3.4
> > telnet -S 127.1 1.2.3.4
> 
> If someone explicitly overrides source-address selection, they are
> presumed to know WTF they are doing, and the kernel should not be
> trying to second-guess them.
> 
That "someone" could be a bad guy playing dirty games with your box and
certainly knowing what he's doing.  :-)

So far, noone gave me a real example where using of net 127 outside
loopback would be useful.  If there such an example exists, we should
wrap all three checks into a sysctl, including ip_input(), ip_output(),
and in_canforward() parts, where ip_input() exists for almost a year,
and in_canforward() existed since 1987.


-- 
Ruslan, who just wants a consistency here.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message