+++ to secure your transactions use the Bitcoin Mixer Service +++

 

We need Your Support. Make a Donation now! or Buy Me A Coffee

Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Loopback and multi-homed routing flaw in TCP/IP stack.

From: Martin Macok <martin.macok () UNDERGROUND CZ>
Date: Tue, 6 Mar 2001 23:05:17 +0100
On Tue, Mar 06, 2001 at 01:34:18PM +0300, 3APA3A wrote:

I believe solution for this problem may be something like

ipfw add allow all via lo*
ipfw add deny all to 127.0.0.0/8

if you want this behavior to be changed.


 (In case Linux 2.4 ''suffer'' ... 
  I had no time to test it but others (Kyle Sparger) claimed that)

In netfilter/iptables (linux 2.4) language:

### ALLOW EVERTHING FROM lo AND DISABLE EVERYTHING ELSE TO 127.0.0.*
iptables -A INPUT -i lo -j ACCEPT
# if you want some logging, uncomment next line:
# iptables -A INPUT -d 127.0.0.0/8 -m limit --limit 5/minute -j LOG
iptables -A INPUT -d 127.0.0.0/8 -j DROP

OR similar strategy:

### DISABLE EVERYTHING TO 127.0.0.* NOT COMING FROM lo
# if you want some logging, uncomment next line:
# iptables -A INPUT -d 127.0.0.0/8 -i ! lo -m limit --limit 5/minute -j LOG
iptables -A INPUT -d 127.0.0.0/8 -i ! lo -j DROP

I vote for 'Strong ES Model' by default (especially for linux as it
becomes often installed by clueless beginners) and there is no
argument for making 'Weak ES Model' default. Including the fact that
almost no current Security-HOWTO's/Firewall-HOWTO's/Networking-HOWTO's
don't discuss that topic ...

Have a nice day

-- 
   Martin Mačok
  underground.cz
    openbsd.cz
Previous By Date Next
Previous By Thread Next

Current thread:

We need Your Support. Make a Donation now! or