Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Feb 2002 13:23:13 -0500
From:      "Michael Meltzer" <mjm@michaelmeltzer.com>
To:        "Ruslan Ermilov" <ru@FreeBSD.ORG>, "Attila Nagy" <bra@fsn.hu>
Cc:        <stable@FreeBSD.ORG>
Subject:   Re: 127/8 in ip_output.c
Message-ID:  <03f401c1b4bb$7f97bfa0$34f820c0@ix1x1000>
References:  <00c701c1b3f3$169409f0$34f820c0@ix1x1000> <Pine.LNX.4.44.0202130930060.21764-100000@scribble.fsn.hu> <01a701c1b33c$733b99a0$34f820c0@ix1x1000> <20020212141520.A8237@sunbay.com> <00c701c1b3f3$169409f0$34f820c0@ix1x1000> <20020213105442.A46245@sunbay.com>

next in thread | previous in thread | raw e-mail | index | archive | help
I try it out tonight,  head good things about it already, ThankYou.

For what is worth, it seems the problem he is really a
routing table issue, it seem that on FreeBSD-stable (without the code) if
you where trying to ping 127.0.0.2 (which is not defined) the message goes
out the default route, which is a bad thing :-) but by adding "route
add -net 127.0.0.0 127.0.0.1 255.0.0.0" which cleaned
this up nicely and BTW is how most interfaces handle unknow local networks
hosts
:-) I am sure that thier is a problem doing this (never seen local host
route  the address 127.* space,  :-) but .....


MJM


----- Original Message -----
From: "Ruslan Ermilov" <ru@FreeBSD.ORG>
To: "Michael Meltzer" <mjm@michaelmeltzer.com>; "Attila Nagy" <bra@fsn.hu>
Cc: <stable@FreeBSD.ORG>
Sent: Wednesday, February 13, 2002 3:54 AM
Subject: Re: 127/8 in ip_output.c


> OK, got it.  Let me know if the attached patch fixes the problem for IPF.
>
> On Tue, Feb 12, 2002 at 01:28:37PM -0500, Michael Meltzer wrote:
> > http://www.obfuscation.org/ipf/ipf-howto.txt about page 28+-
> >
> > I do not use squid but, http://www.squid-cache.org/Doc/FAQ/FAQ-17.html,
the
> > freebsd section uses the 127.* game
> >
> > http://cr.yp.to/djbdns/faq/cache.html#mixnmatch , it the 127.* trick
again,
> > and if you want to services the inside address you need a rdr from the
> > inside ip to 127.
> >
> >
> > The point is this is too strong a position on the issue, maybe you want
a
> > sysctl around it, not unheard of for network RFC's. But frankly you are
> > trying to build firewall functionality into the kernel when most people
> > expect it in their ipf rule set. Worst let there rules set will look
right
> > when they try to open it up and led to "craziness/frustration/very bad
> > works" when it does not work as excepted or meet their expectation about
> > what is happening. I been doing things like this on Solaris /FreeBSD for
> > years to solve network problems.
> >
> > MJM
> >
> > PS. what is the view of the "group"?
> >
> > ----- Original Message -----
> > From: "Ruslan Ermilov" <ru@FreeBSD.ORG>
> > To: "Michael Meltzer" <mjm@michaelmeltzer.com>
> > Cc: <stable@FreeBSD.ORG>
> > Sent: Tuesday, February 12, 2002 7:15 AM
> > Subject: Re: 127/8 in ip_output.c
> >
> >
> > > On Mon, Feb 11, 2002 at 03:41:15PM -0500, Michael Meltzer wrote:
> > > >
> > > >    I just got caught by block of all 127/8 in ip_output.c, At this
point
> > > >    I have recompiled my system to remove it but frankly I think it
> > should
> > > >    be removed from the OS, What happened it the it took out djbdsn
along
> > > >    with IPF, now those system where configured based on their
respective
> > > >    HOWTO's. Unless someone wants to start changing all the HOWTO's
this
> > > >    is asking for trouble. This is not nice, Luckily I knew how to
code,
> > > >    where to look and compile a kernel, think everyone who uses
FreeBSD
> > > >    will be so luckily. The RFC what to prevent 127/8 from leveling
the
> > > >    box, but could it be done not to breaking the tools.
> > > >
> > > Could you please forward me a reference to this HOWTO?
> > >
> > >
> > > Cheers,
> > > --
> > > Ruslan Ermilov Sysadmin and DBA,
> > > ru@sunbay.com Sunbay Software AG,
> > > ru@FreeBSD.org FreeBSD committer,
> > > +380.652.512.251 Simferopol, Ukraine
> > >
> > > http://www.FreeBSD.org The Power To Serve
> > > http://www.oracle.com Enabling The Information Age
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-stable" in the body of the message
>
> On Wed, Feb 13, 2002 at 09:35:02AM +0100, Attila Nagy wrote:
> > Hello,
> >
> > > http://www.obfuscation.org/ipf/ipf-howto.txt about page 28+-
> > Besides that I often use jail to separate different services on the same
> > machine.
> > For this task I like to use addresses from the 127/8 range and bind the
> > jails to those on the lo0 interface.
> >
> > For a shell jail I can run this on 127.0.0.5 with a RDR line in
> > /etc/ipnat.rules:
> > rdr fxp0 1.2.3.4/32 port 22 -> 127.0.0.5 port 22
> >
> > And if users want to connect out from this jail I specify a:
> > map fxp0 127.0.0.5/32 -> 1.2.3.4/32
> >
> > as you can see this way I don't use 127/8 addresses on external
> > interfaces, but the current behaviour stops this, because it sees the
> > traffic before IPF can NAT the packages, so it deny the 127.0.0.5.
> >
> > I think this is not a breakage of the RFC, since I use 127/8
*internally*
> > for an internal network (that's what 127/8 is for) and FreeBSD denies it
> > to work.
> >
> > I think it should be very good to give a sysctl for setting this...
> >
> > Thanks,
>
> --------------------------------------------------------------------------
> > Attila Nagy                                    e-mail:
Attila.Nagy@fsn.hu
> > Budapest Polytechnic (BMF.HU)                   @work: +361 210 1415
(194)
> > H-1084 Budapest, Tavaszmezo u. 15-17.           cell.: +3630 306 6758
>
>
> --
> Ruslan Ermilov Sysadmin and DBA,
> ru@sunbay.com Sunbay Software AG,
> ru@FreeBSD.org FreeBSD committer,
> +380.652.512.251 Simferopol, Ukraine
>
> http://www.FreeBSD.org The Power To Serve
> http://www.oracle.com Enabling The Information Age
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03f401c1b4bb$7f97bfa0$34f820c0>