ip_input.c
Nickolay A. Kritsky
nkritsky at internethelp.ru
Mon May 26 11:19:52 PDT 2003
Hi, secfolks.
While reading ip_input.c I have met following lines:
;-------------------------------------------------
/* 127/8 must not appear on wire - RFC1122 */
if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
(ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
ipstat.ips_badaddr++;
goto bad;
}
}
;-------------------------------------------
If we have such wonderful code inside freeBSD kernel, do we really
need to duplicate in default rc.firewall:
;-------------------------------------------
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}
;-------------------------------------------
I think that they are talking about the same thing, no?
Best Regards.
;-------------------------------------------
; NKritsky
; mailto:nkritsky at internethelp.ru
More information about the freebsd-security
mailing list