Re: netmask for loopback interfaces

From: Jamie Landeg-Jones <>
Date: Thu, 04 Nov 2021 19:10:37 UTC
"Rodney W. Grimes" <> wrote:

> > Note, the default FreeBSD firewall rules already have:
> > 
> >     ${fwcmd} add 100 pass all from any to any via lo0
> >     ${fwcmd} add 200 deny all from any to
> >     ${fwcmd} add 300 deny ip from to any
> Which no longer work correctly since the "to"
> packets SHALL go out what ever interface the route table
> tells them to (often the default route), AND NOT lo0.
> oot {1003}# route -n get
>    route to:
> destination:
>        mask:
>     gateway:
>         fib: 0
>   interface: em0


I'm not sure what you mean. The current default rules will stop
anything to going anywhere other than via lo0 -
which preserves "current expected behaviour" - I was pointing
out that in reply to Oleksandr's comment:

 | /8 mask on loopback prevetnts using of 127.x.x.x network anywhere
 | outside of the localhost. This described in RFC 5735 [1] and 1122 [2]

His argument was that putting an /8 on the localhost address would
neatly stop 127/8 traffic going to the LAN - I was pointing out there
are other ways to do this, i.e. routing, and the firewall.

Of course, if FreeBSD relaxes to allow the use of 128/8 outside 128/16,
then these rules will need to be changed..