Re: Interface Envy
Hi
On Tue, Jan 25, 2000 at 09:06:25PM -0500, David Coe wrote:
[snip]
> Given that we do see legitimate packets coming and going via the lo
> interface using the machine's non-lo inteface IP's (e.g. when you post
> mail from the same machine to "myhost.mydomain.org" instead of to
> "localhost"), is it safe to assume that *anything* coming in or out
> via the 'lo' interface is locally generated, or should the rules be
> careful to only allow 'lo' traffic to/from the legitimate IP addresses
> of this machine?
>
> For example, a machine with three valid IP addresses:
>
> on eth0 123.1.2.3 external net
> on eth1 10.0.0.8 internal net
> on lo 127.0.0.1 local
>
> is it safe for us to allow all 'lo' traffic by saying:
>
> ipchains -A input -j ACCEPT -i lo
> ipchains -A output -j ACCEPT -i lo
As far as I know this is safe, but perhaps someone you should
get the opinion of some other people :)
> or must we enumerate the valid combinations of source and
> destination addresses?:
If you want to make sure, you could do that, but I think your
rules are wrong. Won't the machine always use the same source
and dest addresses for stuff sent/received over lo?
i.e. All you should need is the following:
> ipchains -A input -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1
> ipchains -A output -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1
[snip]
> ipchains -A input -j ACCEPT -i lo -s 10.0.0.8 -d 10.0.0.8
> ipchains -A output -j ACCEPT -i lo -s 10.0.0.8 -d 10.0.0.8
[snip]
> ipchains -A input -j ACCEPT -i lo -s 123.1.2.3 -d 123.1.2.3
> ipchains -A output -j ACCEPT -i lo -s 123.1.2.3 -d 123.1.2.3
--
Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies
Reply to: