Date: Mon, 26 May 2003 22:19:22 +0400 From: "Nickolay A. Kritsky" <nkritsky@internethelp.ru> To: freebsd-security@freebsd.org Subject: ip_input.c Message-ID: <2716866923.20030526221922@internethelp.ru>
next in thread | raw e-mail | index | archive | help
Hi, secfolks.
While reading ip_input.c I have met following lines:
;-------------------------------------------------
/* 127/8 must not appear on wire - RFC1122 */
if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
(ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
ipstat.ips_badaddr++;
goto bad;
}
}
;-------------------------------------------
If we have such wonderful code inside freeBSD kernel, do we really
need to duplicate in default rc.firewall:
;-------------------------------------------
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}
;-------------------------------------------
I think that they are talking about the same thing, no?
Best Regards.
;-------------------------------------------
; NKritsky
; mailto:nkritsky@internethelp.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2716866923.20030526221922>