Bugtraq mailing list archives
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
From: Martin Macok <martin.macok () UNDERGROUND CZ>
Date: Tue, 6 Mar 2001 23:05:17 +0100
On Tue, Mar 06, 2001 at 01:34:18PM +0300, 3APA3A wrote:
I believe solution for this problem may be something like ipfw add allow all via lo* ipfw add deny all to 127.0.0.0/8 if you want this behavior to be changed.
(In case Linux 2.4 ''suffer'' ... I had no time to test it but others (Kyle Sparger) claimed that) In netfilter/iptables (linux 2.4) language: ### ALLOW EVERTHING FROM lo AND DISABLE EVERYTHING ELSE TO 127.0.0.* iptables -A INPUT -i lo -j ACCEPT # if you want some logging, uncomment next line: # iptables -A INPUT -d 127.0.0.0/8 -m limit --limit 5/minute -j LOG iptables -A INPUT -d 127.0.0.0/8 -j DROP OR similar strategy: ### DISABLE EVERYTHING TO 127.0.0.* NOT COMING FROM lo # if you want some logging, uncomment next line: # iptables -A INPUT -d 127.0.0.0/8 -i ! lo -m limit --limit 5/minute -j LOG iptables -A INPUT -d 127.0.0.0/8 -i ! lo -j DROP I vote for 'Strong ES Model' by default (especially for linux as it becomes often installed by clueless beginners) and there is no argument for making 'Weak ES Model' default. Including the fact that almost no current Security-HOWTO's/Firewall-HOWTO's/Networking-HOWTO's don't discuss that topic ... Have a nice day -- Martin Mačok underground.cz openbsd.cz
Current thread:
- Re: Loopback and multi-homed routing flaw in TCP/IP stack., (continued)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kurt Seifried (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Neil W Rickert (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Litchfield (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Robert Collins (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lincoln Yeoh (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Message not available
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lars Mathiesen (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Damerell (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Martin Macok (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. 3APA3A (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. bert hubert (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Crist Clark (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Woody (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lupe Christoph (Mar 07)