From owner-freebsd-stable@FreeBSD.ORG Thu Nov 11 07:42:52 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B94016A4CE for ; Thu, 11 Nov 2004 07:42:52 +0000 (GMT) Received: from mail11.syd.optusnet.com.au (mail11.syd.optusnet.com.au [211.29.132.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id D83FD43D45 for ; Thu, 11 Nov 2004 07:42:51 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) iAB7gh1J011962 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 11 Nov 2004 18:42:43 +1100 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])iAB7ghxP024683; Thu, 11 Nov 2004 18:42:43 +1100 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)iAB7ggu2024682; Thu, 11 Nov 2004 18:42:42 +1100 (EST) (envelope-from pjeremy) Date: Thu, 11 Nov 2004 18:42:42 +1100 From: Peter Jeremy To: Michael Butler Message-ID: <20041111074242.GP79646@cirb503493.alcatel.com.au> References: <20041110134853.GB87953@sr.se> <20041110140614.GO85877@weirdos.oban.frmug.org> <2894.192.168.1.10.1100096559.squirrel@192.168.1.10> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2894.192.168.1.10.1100096559.squirrel@192.168.1.10> User-Agent: Mutt/1.4.2i cc: FreeBSD Stable Subject: Re: 5.3-RELEASE kde 3.3 and pf X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2004 07:42:52 -0000 On Wed, 2004-Nov-10 09:22:39 -0500, Michael Butler wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >> Maybe you should allow everything on lo0, in and out. > >127/8 should always be allowed on the loopback interface, >127/8 should always be dropped from all other interfaces. > >I am "uncomfortable" saying that everything should be allowed .. I agree with the latter but the former is unnecessarily restrictive. By default, FreeBSD generates a static route to `hostname` via lo0. The default ipfw rules are: 100 pass all from any to any via lo0 200 deny all from any to 127.0.0.0/8 300 deny ip from 127.0.0.0/8 to any -- Peter Jeremy