Re: Interface Envy
On Wed, Jan 26, 2000 at 08:21:33AM +0100, Michael Meskes wrote:
> On Wed, Jan 26, 2000 at 08:24:00AM +0200, Michael Wood wrote:
> > > ipchains -A input -j ACCEPT -i lo
> > > ipchains -A output -j ACCEPT -i lo
> > As far as I know this is safe, but perhaps someone you should
> > get the opinion of some other people :)
> And why is it safe? Anti-spoofing?
No, because how does one spoof the interface? Someone can send
a packet "from" 127.0.0.1, but how can they get the Linux kernel
to believe it received the packet on the loopback interface?
The rules above specify the loopback interface. If someone
spoofs a packet from 127.0.0.1 and sends it to a Linux box which
receives it on eth0, it will not match the above rules.
> > If you want to make sure, you could do that, but I think your
> > rules are wrong. Won't the machine always use the same source
> > and dest addresses for stuff sent/received over lo?
> No. I once had such a set of rules and found out the hard way that I
> couldn't traceroute localhost because it had the real ip address as source.
hmmm... OK, I've just tested this and see you are correct. You
can get traceroute to use 127.0.0.1 (with the -s parameter) but
by default it seems to use the IP address associated with eth0.
ping seems to use the same source and dest addresses when
pinging any IP address associated with an interface on the local
machine, but I suppose you'll have to use the full set of rules
accounting for all possibilities of source and dest addresses if
you are not comfortable with the rules that just allow
everything for "lo."
Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
email@example.com | Fax: +27 21 761 9930 | Kingsley Technologies