From owner-freebsd-net Tue Feb 19 9: 0:15 2002 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id 7405837B404; Tue, 19 Feb 2002 09:00:07 -0800 (PST) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id IAA74177; Tue, 19 Feb 2002 08:45:16 -0800 (PST) Received: (from archie@localhost) by arch20m.dellroad.org (8.11.6/8.11.6) id g1JGidW95983; Tue, 19 Feb 2002 08:44:39 -0800 (PST) (envelope-from archie) From: Archie Cobbs Message-Id: <200202191644.g1JGidW95983@arch20m.dellroad.org> Subject: Re: rdr 127.0.0.1 and blocking 127/8 in ip_output() In-Reply-To: <20020219082513.GA49060@sunbay.com> "from Ruslan Ermilov at Feb 19, 2002 10:25:13 am" To: Ruslan Ermilov Date: Tue, 19 Feb 2002 08:44:38 -0800 (PST) Cc: cjclark@alum.mit.edu, Archie Cobbs , Garrett Wollman , net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ruslan Ermilov writes: > > > Note that "normal" people will still get the standard configuration > > > which prevents transmitting 127/8 packets, as it has for many years, > > > without this new change. > > > > No, as I have had to repeat many times, a stock FreeBSD system did NOT > > behave properly in this respect. Take a stock FreeBSD system before > > the change, sniff the default route, and type, > > > > $ ping 127.0.0.2 > > > > And watch the loopback packets head out onto the wire. Yes this is broken.. but only IF you are using the normal configuration where 127.0.0.1/8 is configured on lo0. So the bug is in the kernel routing to the 127/8 network, which should be via lo0 instead of the default route. The fact that 127/8 is normally configured on lo0 is a policy matter. > I fully agree. Or yet worse, > > ping -S 127.0.0.1 1.2.3.4 > > which could not be fixed by just adding a route to -net 127. Wait!! If I specify "-S 127.0.0.1" then that's what I want! Besides, you could use "-S 0.1.2.3" or any of millions of other "illegal" source IP addresses -- do we need a special kernel hack to prevent those as well?? "-S" means "Kernel, use this source address and DON'T ARGUE!" > > But what's the point of sending them if systems can't receive them? If > > you need to remove five lines ip_input.c to get them in the machine, > > why not just remove the same five from ip_output.c too (not that > > in_canforward(), in.c, hasn't blocked loopback packets for even longer > > than the input and output routines). Here's one example: you are probing other machines for broken firewalls. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message