[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange firewall logs

Micah Anderson wrote:

> Ah, looking at my firewall I've got:
>
> -A output -s 127.0.0.1/255.0.0.0 -d 127.0.0.1/255.0.0.0 -p 17 -j ACCEPT
> -A output -s 127.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l
> -A output -s 0.0.0.0/0.0.0.0 -d 127.0.0.0/255.0.0.0 -j REJECT -l
> -A input -s 127.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l
> -A input -s 127.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l
>
> So from what you are saying I should add:
>
> -A output -s 127.0.0.1/255.0.0.0 0 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
> -A output -s 127.0.0.1/255.0.0.0 3 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
> -A output -s 127.0.0.1/255.0.0.0 4 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
> -A output -s 127.0.0.1/255.0.0.0 8 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
> -A output -s 127.0.0.1/255.0.0.0 11 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
> -A output -s 127.0.0.1/255.0.0.0 12 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
>
> ?
>
> Should these be allowable from 127.0.0.1 to anywhere? And would the ICMP
> port orginate on the 127.0.0.1 end or the destination end?

No, 127.0.0.0/8 addresses should never be allowed on any other interface other than loopback. Conversly, you should not accept traffic from these addresses on any interface other than loopback.

A nice way to do this with ipchains is:

ipchains -A input ! -i lo  -s 127.0.0.0/8 -j DENY
ipchains -A output ! -i lo  -s 127.0.0.0/8 -j DENY
ipchains -A input ! -i lo  -d 127.0.0.0/8 -j DENY
ipchains -A output ! -i lo  -d 127.0.0.0/8 -j DENY

Regards

Simon Murcott
e. simon@murcott.net
Reply to: