Date: Mon, 18 Feb 2002 20:49:55 -0800 (PST) From: Julian Elischer <julian@elischer.org> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: Archie Cobbs <archie@dellroad.org>, Ruslan Ermilov <ru@FreeBSD.ORG>, Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, net@FreeBSD.ORG Subject: Re: rdr 127.0.0.1 and blocking 127/8 in ip_output() Message-ID: <Pine.BSF.4.21.0202182046210.53728-100000@InterJet.elischer.org> In-Reply-To: <20020218201311.V48401@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I suggest that you get Archie to walk over to the next desk and ask Van Jacobson. There's nothing like getting it from the Horse's mouth (so to speak). On Mon, 18 Feb 2002, Crist J. Clark wrote: > On Mon, Feb 18, 2002 at 07:02:48PM -0800, Archie Cobbs wrote: > > > > Note that the RFC you are holding up as gospel talks about hosts > > on THE Internet, not hosts on some private test network. You assume > > too much by assuming that all hosts running FreeBSD are connected > > directly to the Internet. > > No, RFC1122 is a set of requirements for hosts implementing _the > Internet protocol._ [...] > I believe it is the intention of FreeBSD to have a working, compliant > IP implementation. > > > By your argument, the kernel should also block admin attempts to > > configure RFC 1918 addresses (10.x.x.x, 192.168.x.x, etc.) on an > > interface. That would put a lot of people behind NAT boxes out of > > business. > > There are no requirements or references to RFC1918, 10.0.0.0/8, > 172.16.0.0/12, or 192.168.0.0/16 in RFC1122. > > > If someone intentionally configures their machine in an unconventional > > way, why automatically assume they are doing something wrong? > > > > My vote is to not have any special cases in the kernel for 127/8... > > rc.conf, rc.network, rc.firewall, et. al. is fine, but nothing > > in the kernel. > > You definately want to at least block incoming 127.0.0.1 in the > kernel. Not doing so is a big security hole. Let's revisit that > discussion all over again, That is what ipfw is for. > > http://www.securityfocus.com/archive/1/166648 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0202182046210.53728-100000>