Re: netmask for loopback interfaces

"Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> wrote:

> > Note, the default FreeBSD firewall rules already have:
> > 
> >     ${fwcmd} add 100 pass all from any to any via lo0
> >     ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> >     ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
>
> Which no longer work correctly since the "to 127.0.0.0/8"
> packets SHALL go out what ever interface the route table
> tells them to (often the default route), AND NOT lo0.
>
> oot {1003}# route -n get 127.1.1.1
>    route to: 127.1.1.1
> destination: 0.0.0.0
>        mask: 0.0.0.0
>     gateway: 192.168.32.8
>         fib: 0
>   interface: em0

Hi!

I'm not sure what you mean. The current default rules will stop
anything to 127.0.0.0/8 going anywhere other than via lo0 -
which preserves "current expected behaviour" - I was pointing
out that in reply to Oleksandr's comment:

 | /8 mask on loopback prevetnts using of 127.x.x.x network anywhere
 | outside of the localhost. This described in RFC 5735 [1] and 1122 [2]

His argument was that putting an /8 on the localhost address would
neatly stop 127/8 traffic going to the LAN - I was pointing out there
are other ways to do this, i.e. routing, and the firewall.

Of course, if FreeBSD relaxes to allow the use of 128/8 outside 128/16,
then these rules will need to be changed..