From owner-freebsd-security@FreeBSD.ORG  Mon May 26 11:19:52 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 28A7637B401
	for <freebsd-security@freebsd.org>;
	Mon, 26 May 2003 11:19:52 -0700 (PDT)
Received: from mail-pm.star.spb.ru (mail-pm.star.spb.ru [217.195.82.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F0C2D43F85
	for <freebsd-security@freebsd.org>;
	Mon, 26 May 2003 11:19:50 -0700 (PDT)
	(envelope-from nkritsky@internethelp.ru)
Received: from pink.star.spb.ru ([217.195.82.10])
	by mail-pm.star.spb.ru (8.12.9/8.12.8) with ESMTP id h4QIJnPW028552
	for <freebsd-security@freebsd.org>;
	Mon, 26 May 2003 22:19:49 +0400 (MSD)
Received: from IBMKA ([217.195.82.7]) by pink.star.spb.ru with SMTP (Microsoft
	Exchange Internet Mail Service Version 5.5.2653.13)
	id K74KPG67; Mon, 26 May 2003 22:19:49 +0400
Date: Mon, 26 May 2003 22:19:22 +0400
From: "Nickolay A. Kritsky" <nkritsky@internethelp.ru>
X-Mailer: The Bat! (v1.49) Personal
X-Priority: 3 (Normal)
Message-ID: <2716866923.20030526221922@internethelp.ru>
To: freebsd-security@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: ip_input.c
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Nickolay A. Kritsky" <nkritsky@internethelp.ru>
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 May 2003 18:19:52 -0000

  Hi, secfolks.

While reading ip_input.c I have met following lines:

;-------------------------------------------------
    /* 127/8 must not appear on wire - RFC1122 */
    if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
        (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
            if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
                    ipstat.ips_badaddr++;
                    goto bad;
            }
    }
;-------------------------------------------
If we have such wonderful code inside freeBSD kernel, do we really
need to duplicate in default rc.firewall:
;-------------------------------------------
setup_loopback () {
        ############
        # Only in rare cases do you want to change these rules
        #
        ${fwcmd} add 100 pass all from any to any via lo0
        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}
;-------------------------------------------

I think that they are talking about the same thing, no?

Best Regards.
;-------------------------------------------
; NKritsky
; mailto:nkritsky@internethelp.ru