From owner-cvs-all  Sat Feb  2  6: 2: 4 2002
Delivered-To: cvs-all@freebsd.org
Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7229F37B404; Sat,  2 Feb 2002 06:01:58 -0800 (PST)
Received: from hades.hell.gr (patr530-b144.otenet.gr [212.205.244.152])
	by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g12E1oLA024768;
	Sat, 2 Feb 2002 16:01:51 +0200 (EET)
Received: (from charon@localhost)
	by hades.hell.gr (8.11.6/8.11.6) id g12E1nq88983;
	Sat, 2 Feb 2002 16:01:49 +0200 (EET)
	(envelope-from keramida@freebsd.org)
Date: Sat, 2 Feb 2002 16:01:48 +0200
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Stefan `Sec` Zehl <sec@42.org>
Cc: Ruslan Ermilov <ru@freebsd.org>, cvs-committers@freebsd.org,
	cvs-all@freebsd.org
Subject: Re: cvs commit: src/sys/netinet ip_output.c
Message-ID: <20020202140147.GA71238@hades.hell.gr>
References: <200202011042.g11Ag9U93410@freefall.freebsd.org> <20020202123007.GA19270@matrix.42.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020202123007.GA19270@matrix.42.org>
User-Agent: Mutt/1.3.25i
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On 2002-02-02 13:30, Stefan `Sec` Zehl wrote:
> On Fri, Feb 01, 2002 at 02:42:09AM -0800, Ruslan Ermilov wrote:
> > ru          2002/02/01 02:42:09 PST
> > 
> >   Modified files:        (Branch: RELENG_4)
> >     sys/netinet          ip_output.c 
> >   Log:
> >   MFC: 1.148: { 127, <any> } MUST NOT appear outside a host.
> 
> Wouldn't preventing FreeBSD to receive 127.x from non-loopback
> interfaces make more sense than preventing to send it?

That's probably OK too.  I've used a firewall for similar filtering
until now.  For instance, packets from/to one of the address blocks
listed in RFC 1918 should never appear on my dialup interface.

Since the local configuration is not known to the kernel, filtering of
rfc1918 addresses can only be done with a firewall, but about loopback
interfaces you're right that ip_input() should probably be changed too.

Cheers,

-- 
Giorgos Keramidas . . . . . . . . . keramida@{ceid.upatras.gr,freebsd.org}
FreeBSD Documentation Project . . . http://www.freebsd.org/docproj/
FreeBSD: The power to serve . . . . http://www.freebsd.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message