Re: 127.0.0.0/8 addresses from the network
In message <[🔎] 20010309230130.25832.qmail@alongtheway.com>, Jim Breton writes:
>On Fri, Mar 09, 2001 at 08:49:54PM +0000, Jim Breton wrote:
>> # deny and log all packets trying to come in from a 127.0.0.0/8 address
>> # over a non-'lo' interface
>
>Oops. Just occurred to me that this is not what you were asking about.
>Why do I do such things?
>
>Anyway.
>
>/etc/ipmasq/rules/I90external.def
<snip>
>Since we have a default drop and log coming later in the rules
>(/etc/ipmasq/rules/ZZZdenyandlog.def), this will take care of your
>concern.
Actually we trap illegal packets like this one in I15lospoof.def.
:#: Deny and log all packets trying to come in from a 127.0.0.0/8 address
:#: over a non-'lo' interface
case $MASQMETHOD in
ipfwadm)
if [ -n "$INTERNAL" -o -n "$EXTERNAL" ]; then
for i in $INTERNAL $EXTERNAL; do
$IPFWADM -I -a deny -W $i -S 127.0.0.1/255.0.0.0 -o
done
fi
;;
ipchains)
$IPCHAINS -A input -j DENY -i ! lo -s 127.0.0.1/255.0.0.0 -l
;;
netfilter)
$IPTABLES -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0
;;
esac
Although there is a final deny rule, thie one works better.
--
Ted Cabeen http://www.pobox.com/~secabeen secabeen@pobox.com
Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@uchicago.edu
"I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com
Reply to: