From owner-freebsd-isp  Thu Nov  6 10:38:55 1997
Return-Path: <owner-freebsd-isp>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id KAA04038
          for isp-outgoing; Thu, 6 Nov 1997 10:38:55 -0800 (PST)
          (envelope-from owner-freebsd-isp)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA04032
          for <freebsd-isp@FreeBSD.ORG>; Thu, 6 Nov 1997 10:38:52 -0800 (PST)
          (envelope-from archie@whistle.com)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id KAA17736; Thu, 6 Nov 1997 10:38:17 -0800 (PST)
Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3)
	id sma017730; Thu Nov  6 10:38:07 1997
Received: (from archie@localhost) by bubba.whistle.com (8.8.5/8.6.12) id KAA11072; Thu, 6 Nov 1997 10:38:07 -0800 (PST)
From: Archie Cobbs <archie@whistle.com>
Message-Id: <199711061838.KAA11072@bubba.whistle.com>
Subject: Re: Security problem/oversight with user PPP!
In-Reply-To: <Pine.GSO.3.96.971106092836.11993A-100000@slip-3> from Dru Nelson at "Nov 6, 97 09:30:38 am"
To: dnelson@slip.net (Dru Nelson)
Date: Thu, 6 Nov 1997 10:38:07 -0800 (PST)
Cc: brandon@roguetrader.com, freebsd-isp@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL31 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Dru Nelson writes:
> > >  I agreee, it shouldn't be on by default. It is good, though, when
> > >  you want to work on the PPP client on the far end when getting
> > >  things working.
> > 
> > Doesn't completely fill the hole... :-)
> > 
> > I can still take a UNIX machine on the same network as yours,
> > disable my loopback interface, and set a route to 127.0.0.1
> > via your machine, and then telnet to it.
> > 
>  
>   Hi, where was I 'fill the hole'. If it is off, you can't telnet to 3000?
> 
>   Are you saying that Freebsd has a security hole where it allows 
>   ip with a source of 127.0.0.1.  When it replies for that SYN for
>   telnet, why would it go back to your machine?

Sorry, I was referring to the "fix" that just binds to
127.0.0.1 port 3000 (instead of INADDR_ANY) for the telnet thing.

Whether it's a security hole or a feature depends on how you
look at it. FreeBSD is working as designed. But yes, if I send
a packet to your 127.0.0.1, it will have my (normal) source
address.. so the response to my SYN comes back to me, etc.

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com