Re: 127.0.0.0/8 addresses from the network

[Jim Breton <jamesb-debian@alongtheway.com>]

On Mon, Mar 12, 2001 at 06:58:07PM -0400, Peter Cordes wrote:
> On Mon, Mar 12, 2001 at 06:36:25PM +0000, Jim Breton wrote:
> > It does do what you describe; however the original question is about
> > evil packet _destinations_ and not evil packet _sources._
> 
>  No, I just checked linux/Documentation/filesystems/proc.txt, and it points
> out that this is a source check.  Destination is always checked, since it is
> incorrect not to do so, not just a security risk.  rp_filter filters out
> some packets that are allowed by the protocols, but are obviously bogus in a
> normal network.

Again, I'm not disagreeing with you.  rp_filter and source checking has
nothing to do with the issue though.  The question posed was about
packet destinations, and you keep referring to source checks.

Read the original post again.

Also read my post where I mentioned that more verbose logging of such a
packet may be useful; the kernel's martian logging is not very verbose.
Try it and you will see what I mean.

Fwiw whether the firewall framework in 2.2 will even pick it up in the
input chain is beyond me, you would have to try it.  2.4 won't, you have
to do it in the mangle table as far as I can tell (works for me there,
but not in the filter table).

Thanks.