Re: Interface Envy

To: Wade Burgett <wadeb@burgettsys.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: Interface Envy
From: David Coe <david.coe@someotherplace.org>
Date: 25 Jan 2000 21:06:25 -0500
Message-id: <[🔎] 86r9f537tq.fsf@someotherplace.org>
In-reply-to: Wade Burgett's message of "Tue, 25 Jan 2000 22:31:41 +0000"
References: <[🔎] 20000125083204.C21296@wookimus.net> <[🔎] 86zott3io7.fsf@someotherplace.org> <[🔎] 388E244C.CFF2524F@burgettsys.com>

Wade Burgett <wadeb@burgettsys.com> writes:

> I think the anti-spoof rules in the 2.2.x kernels should make this safe. 
> Anything coming on the other interfaces w/ the 127.0.0.1 address won't be
> allowed.

True, but (I apologize for having been so brief) my question was meant
the other way around:

Given that we do see legitimate packets coming and going via the lo
interface using the machine's non-lo inteface IP's (e.g. when you post
mail from the same machine to "myhost.mydomain.org" instead of to
"localhost"), is it safe to assume that *anything* coming in or out
via the 'lo' interface is locally generated, or should the rules be
careful to only allow 'lo' traffic to/from the legitimate IP addresses
of this machine?

For example, a machine with three valid IP addresses:

  on eth0   123.1.2.3    external net
  on eth1   10.0.0.8     internal net
  on lo     127.0.0.1    local

is it safe for us to allow all 'lo' traffic by saying:

  ipchains -A input  -j ACCEPT -i lo
  ipchains -A output -j ACCEPT -i lo

or must we enumerate the valid combinations of source and
destination addresses?:

  ipchains -A input  -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1
  ipchains -A output -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1
  ipchains -A input  -j ACCEPT -i lo -s 127.0.0.1 -d 10.0.0.8
  ipchains -A output -j ACCEPT -i lo -s 127.0.0.1 -d 10.0.0.8
  ipchains -A input  -j ACCEPT -i lo -s 127.0.0.1 -d 123.1.2.3
  ipchains -A output -j ACCEPT -i lo -s 127.0.0.1 -d 123.1.2.3

  ipchains -A input  -j ACCEPT -i lo -s 10.0.0.8  -d 127.0.0.1
  ipchains -A output -j ACCEPT -i lo -s 10.0.0.8  -d 127.0.0.1
  ipchains -A input  -j ACCEPT -i lo -s 10.0.0.8  -d 10.0.0.8
  ipchains -A output -j ACCEPT -i lo -s 10.0.0.8  -d 10.0.0.8
  ipchains -A input  -j ACCEPT -i lo -s 10.0.0.8  -d 123.1.2.3
  ipchains -A output -j ACCEPT -i lo -s 10.0.0.8  -d 123.1.2.3

  ipchains -A input  -j ACCEPT -i lo -s 123.1.2.3 -d 127.0.0.1
  ipchains -A output -j ACCEPT -i lo -s 123.1.2.3 -d 127.0.0.1
  ipchains -A input  -j ACCEPT -i lo -s 123.1.2.3 -d 10.0.0.8
  ipchains -A output -j ACCEPT -i lo -s 123.1.2.3 -d 10.0.0.8
  ipchains -A input  -j ACCEPT -i lo -s 123.1.2.3 -d 123.1.2.3
  ipchains -A output -j ACCEPT -i lo -s 123.1.2.3 -d 123.1.2.3

Thanks.

Reply to:

Follow-Ups:
- Re: Interface Envy
  - From: Michael Wood <wood@kingsley.co.za>

References:
- Interface Envy
  - From: ^chewie <chewie@wookimus.net>
- Re: Interface Envy
  - From: David Coe <david.coe@someotherplace.org>
- Re: Interface Envy
  - From: Wade Burgett <wadeb@burgettsys.com>

Prev by Date: Re: Debian (source) pkg for current netfilter distribution?
Next by Date: Re: Interface Envy
Previous by thread: Re: Interface Envy
Next by thread: Re: Interface Envy
Index(es):
- Date
- Thread