misc/164914: interface still accept packets even without IP
address
Gleb Smirnoff
glebius at FreeBSD.org
Thu Feb 9 11:40:10 UTC 2012
The following reply was made to PR misc/164914; it has been noted by GNATS.
From: Gleb Smirnoff <glebius at FreeBSD.org>
To: Eugen Konkov <kes-kes at yandex.ru>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: misc/164914: interface still accept packets even without IP
address
Date: Thu, 9 Feb 2012 15:35:20 +0400
On Wed, Feb 08, 2012 at 09:42:59PM +0000, Eugen Konkov wrote:
E> >How-To-Repeat:
E> ..............CLIENT
E> .........vlan70:10.7.18.90
E> ........../...............\
E> SERVER1....................SERVER2
E> vlan70:10.7.18.2 vlan70:10.7.18.1
E> vlan408:10.7.19.54<-->vlan408:10.7.19.53
E>
E> If I move IP 10.7.18.1 from SERVER2:vlan70 to SERVER1:vlan70
E>
E> ..............CLIENT
E> .........vlan70:10.7.18.90
E> ........../...............\
E> SERVER1....................SERVER2
E> vlan70:10.7.18.2 vlan70:NOIP_HERE_NOW
E> vlan70:10.7.18.1
E> vlan408:10.7.19.54<-->vlan408:10.7.19.53
E>
E> Traffic still flows through SERVER2
E>
E> This is very interesting feature or maybe a bug? wich touch security issues:
E> some host on LAN can send packets to MAC address of FreeBSD server, now server accept packets even if frame is not in its subnet and pass them further %-)
This is not a bug, but the way IP and Ethernet works. If a box receives
a frame that has its linklevel address, then the frame is passes to
appropriate protocol layer. And if IP protocol receives a packet that
is destined to some address we don't have, and forwarding is enabled,
then the packet is forwarded.
--
Totus tuus, Glebius.
More information about the freebsd-bugs
mailing list