Re: Interface Envy
Wade Burgett <wadeb@burgettsys.com> writes:
> I think the anti-spoof rules in the 2.2.x kernels should make this safe.
> Anything coming on the other interfaces w/ the 127.0.0.1 address won't be
> allowed.
True, but (I apologize for having been so brief) my question was meant
the other way around:
Given that we do see legitimate packets coming and going via the lo
interface using the machine's non-lo inteface IP's (e.g. when you post
mail from the same machine to "myhost.mydomain.org" instead of to
"localhost"), is it safe to assume that *anything* coming in or out
via the 'lo' interface is locally generated, or should the rules be
careful to only allow 'lo' traffic to/from the legitimate IP addresses
of this machine?
For example, a machine with three valid IP addresses:
on eth0 123.1.2.3 external net
on eth1 10.0.0.8 internal net
on lo 127.0.0.1 local
is it safe for us to allow all 'lo' traffic by saying:
ipchains -A input -j ACCEPT -i lo
ipchains -A output -j ACCEPT -i lo
or must we enumerate the valid combinations of source and
destination addresses?:
ipchains -A input -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1
ipchains -A output -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1
ipchains -A input -j ACCEPT -i lo -s 127.0.0.1 -d 10.0.0.8
ipchains -A output -j ACCEPT -i lo -s 127.0.0.1 -d 10.0.0.8
ipchains -A input -j ACCEPT -i lo -s 127.0.0.1 -d 123.1.2.3
ipchains -A output -j ACCEPT -i lo -s 127.0.0.1 -d 123.1.2.3
ipchains -A input -j ACCEPT -i lo -s 10.0.0.8 -d 127.0.0.1
ipchains -A output -j ACCEPT -i lo -s 10.0.0.8 -d 127.0.0.1
ipchains -A input -j ACCEPT -i lo -s 10.0.0.8 -d 10.0.0.8
ipchains -A output -j ACCEPT -i lo -s 10.0.0.8 -d 10.0.0.8
ipchains -A input -j ACCEPT -i lo -s 10.0.0.8 -d 123.1.2.3
ipchains -A output -j ACCEPT -i lo -s 10.0.0.8 -d 123.1.2.3
ipchains -A input -j ACCEPT -i lo -s 123.1.2.3 -d 127.0.0.1
ipchains -A output -j ACCEPT -i lo -s 123.1.2.3 -d 127.0.0.1
ipchains -A input -j ACCEPT -i lo -s 123.1.2.3 -d 10.0.0.8
ipchains -A output -j ACCEPT -i lo -s 123.1.2.3 -d 10.0.0.8
ipchains -A input -j ACCEPT -i lo -s 123.1.2.3 -d 123.1.2.3
ipchains -A output -j ACCEPT -i lo -s 123.1.2.3 -d 123.1.2.3
Thanks.
Reply to: