[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 127.0.0.0/8 addresses from the network

On Wed, Mar 14, 2001 at 12:14:07AM +0100, Carel Fellinger wrote:
> On Mon, Mar 12, 2001 at 10:14:17PM -0400, Peter Cordes wrote:
> >  I decided to check this out, 
> 
> For now I guess you wanted to check that Linux *does* filter on packet
> *destinations* , but I can't follow the example. To be honest, I don't
> see how Linux could filter those out at all, as destination addresses
> are used to route, and what's wrong with routing to a local net? Unless
> you specify somewhere that local addresses aren't allowed on a specific
> interface, and I know of non such parameter to the linux routing code
> (but he, I know nothing of that code, tried to read it once and failed:)

 Ok, let me define a few things.  llama is the computer "under attack".
bigfoot is the "attacker".  The attempted attack is to make llama accept a
connection to an address other than its own.  This could, I guess, get
around an access control that looked at the local address of the connection,
instead of who was on the other end.  Anyway, the intent is to show that
linux doesn't accept connections when it shouldn't.

 As you point out, what I did is also the same as asking llama to route
packets to 10.0.0.10, which it won't do because I haven't configured it to
do that.  I thought of that while I was setting up my test.  Instead of
using arp -s  on bigfoot, I could have set up a host route for 10.0.0.10
going through 10.0.0.1 (llama), so bigfoot would use ARP to find llama's MAC
address, and send the packet there with 10.0.0.10 in the IP header's
destination field.

 The result is that, as expected, llama doesn't route or accept the packet.

 The original question, IIRC, was what would happen if a packet came in with
127.0.0.1 as the IP destination.  I'm pretty sure the answer is that it
would get dropped, unless the machine was configured to forward packets from
the ethernet to the loopback network.

 One thing I didn't mention was that I have llama set (with ipchains) to a
DENY policy for forwarding.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Reply to: