From nobody Thu Nov 04 19:10:37 2021 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7A72E183C037 for ; Thu, 4 Nov 2021 19:10:45 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [IPv6:2001:19f0:300:2185:123::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4HlYBY35tzz3rkB for ; Thu, 4 Nov 2021 19:10:45 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [104.207.135.49]) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id 1A4JAdnH016856; Thu, 4 Nov 2021 19:10:39 GMT (envelope-from jamie@donotpassgo.dyslexicfish.net) Received: (from jamie@localhost) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5/Submit) id 1A4JAbY2016855; Thu, 4 Nov 2021 19:10:38 GMT (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <202111041910.1A4JAbY2016855@donotpassgo.dyslexicfish.net> Date: Thu, 04 Nov 2021 19:10:37 +0000 Organization: Dyslexic Fish To: jamie@catflap.org, freebsd-rwg@gndrsh.dnsmgr.net Cc: shuriku@shurik.kiev.ua, freebsd-net@FreeBSD.org Subject: Re: netmask for loopback interfaces References: <202111041430.1A4EUPOe029661@gndrsh.dnsmgr.net> In-Reply-To: <202111041430.1A4EUPOe029661@gndrsh.dnsmgr.net> User-Agent: Heirloom mailx 12.4 7/29/08 List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.7 (donotpassgo.dyslexicfish.net [104.207.135.49]); Thu, 04 Nov 2021 19:10:39 +0000 (GMT) X-Rspamd-Queue-Id: 4HlYBY35tzz3rkB X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N "Rodney W. Grimes" wrote: > > Note, the default FreeBSD firewall rules already have: > > > > ${fwcmd} add 100 pass all from any to any via lo0 > > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > Which no longer work correctly since the "to 127.0.0.0/8" > packets SHALL go out what ever interface the route table > tells them to (often the default route), AND NOT lo0. > > oot {1003}# route -n get 127.1.1.1 > route to: 127.1.1.1 > destination: 0.0.0.0 > mask: 0.0.0.0 > gateway: 192.168.32.8 > fib: 0 > interface: em0 Hi! I'm not sure what you mean. The current default rules will stop anything to 127.0.0.0/8 going anywhere other than via lo0 - which preserves "current expected behaviour" - I was pointing out that in reply to Oleksandr's comment: | /8 mask on loopback prevetnts using of 127.x.x.x network anywhere | outside of the localhost. This described in RFC 5735 [1] and 1122 [2] His argument was that putting an /8 on the localhost address would neatly stop 127/8 traffic going to the LAN - I was pointing out there are other ways to do this, i.e. routing, and the firewall. Of course, if FreeBSD relaxes to allow the use of 128/8 outside 128/16, then these rules will need to be changed..