Date: Mon, 18 Feb 2002 20:43:45 -0800 (PST) From: Archie Cobbs <archie@dellroad.org> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: Archie Cobbs <archie@dellroad.org>, Ruslan Ermilov <ru@FreeBSD.ORG>, Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, net@FreeBSD.ORG Subject: Re: rdr 127.0.0.1 and blocking 127/8 in ip_output() Message-ID: <200202190443.g1J4hji92220@arch20m.dellroad.org> In-Reply-To: <20020218201311.V48401@blossom.cjclark.org> "from Crist J. Clark at Feb 18, 2002 08:13:11 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Crist J. Clark writes: > No, RFC1122 is a set of requirements for hosts implementing _the > Internet protocol._ OK... > > By your argument, the kernel should also block admin attempts to > > configure RFC 1918 addresses (10.x.x.x, 192.168.x.x, etc.) on an > > interface. That would put a lot of people behind NAT boxes out of > > business. > > There are no requirements or references to RFC1918, 10.0.0.0/8, > 172.16.0.0/12, or 192.168.0.0/16 in RFC1122. Obviously, because 1918 > 1122. But I don't understand your point. My point is that if it's a private network, you can do whatever you want -- standards that were created to make machines on the same network interoperate don't apply to X if X is on a separate network. There are real people with valid reasons for doing "weird" things, for testing or whatever, on private networks. We shouldn't make life hard for them. If your host sends a 127/8 packet, I'd say chances are better than 90% that you intentionally configured it to do so. Note that "normal" people will still get the standard configuration which prevents transmitting 127/8 packets, as it has for many years, without this new change. So I don't see what the conflict is here, or why this extra check, which adds complexity and confusion, is needed. > > If someone intentionally configures their machine in an unconventional > > way, why automatically assume they are doing something wrong? > > > > My vote is to not have any special cases in the kernel for 127/8... > > rc.conf, rc.network, rc.firewall, et. al. is fine, but nothing > > in the kernel. > > You definately want to at least block incoming 127.0.0.1 in the > kernel. Not doing so is a big security hole. Let's revisit that > discussion all over again, > > http://www.securityfocus.com/archive/1/166648 Yes, of course. We're talking about sending, not receiving, packets though. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202190443.g1J4hji92220>