From owner-freebsd-net Sat Jul 1 4:37:28 2000 Delivered-To: freebsd-net@freebsd.org Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by hub.freebsd.org (Postfix) with ESMTP id 8977F37B5A6 for ; Sat, 1 Jul 2000 04:37:26 -0700 (PDT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV with ESMTP; Sat, 1 Jul 2000 12:37:21 +0100 Received: from localhost (cmjg@localhost) by mail.ilrt.bris.ac.uk (8.8.7/8.8.8) with ESMTP id MAA22130; Sat, 1 Jul 2000 12:37:20 +0100 (BST) Date: Sat, 1 Jul 2000 12:37:20 +0100 (BST) From: Jan Grant To: net@freebsd.org Subject: Ingress filtering to loopback address: is there any way to do this without a full firewall install? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry about the repost; I sent this to questions with no response. For a random service running on a random machine: On machine A (192.168.0.1): hostA:/> netstat -an | grep 5998 tcp4 0 0 127.0.0.1.5998 *.* LISTEN On machine B: (192.168.0.2):* hostB:/> ifconfig lo down hostB:/> route add -host 127.0.0.1 gw 192.168.0.1 hostB:/> telnet 127.0.0.1 5998 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. RANDOMSERVICE (hostA) welcomes you... Is there a way to stop the delivery of non-localhost-originated packets to services listening on a loopback address without building a firewall into the kernel? Cheers in advance, jan PS. I'd appreciate a CC: directly; I'm not (currently) subscribed to fbsd-net. Thanks! * This machine was "another free unix-a-like" hence the interface name, etc. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287163 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk If it's broken really badly - don't fix it either. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message