Date: Tue, 19 Feb 2002 08:44:38 -0800 (PST) From: Archie Cobbs <archie@dellroad.org> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: cjclark@alum.mit.edu, Archie Cobbs <archie@dellroad.org>, Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, net@FreeBSD.ORG Subject: Re: rdr 127.0.0.1 and blocking 127/8 in ip_output() Message-ID: <200202191644.g1JGidW95983@arch20m.dellroad.org> In-Reply-To: <20020219082513.GA49060@sunbay.com> "from Ruslan Ermilov at Feb 19, 2002 10:25:13 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Ruslan Ermilov writes: > > > Note that "normal" people will still get the standard configuration > > > which prevents transmitting 127/8 packets, as it has for many years, > > > without this new change. > > > > No, as I have had to repeat many times, a stock FreeBSD system did NOT > > behave properly in this respect. Take a stock FreeBSD system before > > the change, sniff the default route, and type, > > > > $ ping 127.0.0.2 > > > > And watch the loopback packets head out onto the wire. Yes this is broken.. but only IF you are using the normal configuration where 127.0.0.1/8 is configured on lo0. So the bug is in the kernel routing to the 127/8 network, which should be via lo0 instead of the default route. The fact that 127/8 is normally configured on lo0 is a policy matter. > I fully agree. Or yet worse, > > ping -S 127.0.0.1 1.2.3.4 > > which could not be fixed by just adding a route to -net 127. Wait!! If I specify "-S 127.0.0.1" then that's what I want! Besides, you could use "-S 0.1.2.3" or any of millions of other "illegal" source IP addresses -- do we need a special kernel hack to prevent those as well?? "-S" means "Kernel, use this source address and DON'T ARGUE!" > > But what's the point of sending them if systems can't receive them? If > > you need to remove five lines ip_input.c to get them in the machine, > > why not just remove the same five from ip_output.c too (not that > > in_canforward(), in.c, hasn't blocked loopback packets for even longer > > than the input and output routines). Here's one example: you are probing other machines for broken firewalls. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202191644.g1JGidW95983>