From owner-freebsd-stable Tue Feb 12 11:33:12 2002 Delivered-To: freebsd-stable@freebsd.org Received: from web4.thecenturiongroup.com (112.mujb.nyrk.nycenycp.dsl.att.net [12.98.137.112]) by hub.freebsd.org (Postfix) with ESMTP id 8EC1937B402; Tue, 12 Feb 2002 11:32:56 -0800 (PST) Received: from ix1x1000 (ix1x1000.thecenturiongroup.com [192.32.248.52]) by web4.thecenturiongroup.com (Postfix) with SMTP id 99AA07C001; Tue, 12 Feb 2002 13:33:21 -0500 (EST) Message-ID: <00c701c1b3f3$169409f0$34f820c0@ix1x1000> From: "Michael Meltzer" To: "Ruslan Ermilov" Cc: References: <01a701c1b33c$733b99a0$34f820c0@ix1x1000> <20020212141520.A8237@sunbay.com> Subject: Re: 127/8 in ip_output.c Date: Tue, 12 Feb 2002 13:28:37 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://www.obfuscation.org/ipf/ipf-howto.txt about page 28+- I do not use squid but, http://www.squid-cache.org/Doc/FAQ/FAQ-17.html, the freebsd section uses the 127.* game http://cr.yp.to/djbdns/faq/cache.html#mixnmatch , it the 127.* trick again, and if you want to services the inside address you need a rdr from the inside ip to 127. The point is this is too strong a position on the issue, maybe you want a sysctl around it, not unheard of for network RFC's. But frankly you are trying to build firewall functionality into the kernel when most people expect it in their ipf rule set. Worst let there rules set will look right when they try to open it up and led to "craziness/frustration/very bad works" when it does not work as excepted or meet their expectation about what is happening. I been doing things like this on Solaris /FreeBSD for years to solve network problems. MJM PS. what is the view of the "group"? ----- Original Message ----- From: "Ruslan Ermilov" To: "Michael Meltzer" Cc: Sent: Tuesday, February 12, 2002 7:15 AM Subject: Re: 127/8 in ip_output.c > On Mon, Feb 11, 2002 at 03:41:15PM -0500, Michael Meltzer wrote: > > > > I just got caught by block of all 127/8 in ip_output.c, At this point > > I have recompiled my system to remove it but frankly I think it should > > be removed from the OS, What happened it the it took out djbdsn along > > with IPF, now those system where configured based on their respective > > HOWTO's. Unless someone wants to start changing all the HOWTO's this > > is asking for trouble. This is not nice, Luckily I knew how to code, > > where to look and compile a kernel, think everyone who uses FreeBSD > > will be so luckily. The RFC what to prevent 127/8 from leveling the > > box, but could it be done not to breaking the tools. > > > Could you please forward me a reference to this HOWTO? > > > Cheers, > -- > Ruslan Ermilov Sysadmin and DBA, > ru@sunbay.com Sunbay Software AG, > ru@FreeBSD.org FreeBSD committer, > +380.652.512.251 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message