ip_input.c
From: Nickolay A. Kritsky (nkritsky_at_internethelp.ru)
Date: 05/26/03
- Previous message: FreeBSD bugmaster: "Current problem reports assigned to you"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 May 2003 22:19:22 +0400 To: freebsd-security@freebsd.org
Hi, secfolks.
While reading ip_input.c I have met following lines:
;-------------------------------------------------
/* 127/8 must not appear on wire - RFC1122 */
if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
(ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
ipstat.ips_badaddr++;
goto bad;
}
}
;-------------------------------------------
If we have such wonderful code inside freeBSD kernel, do we really
need to duplicate in default rc.firewall:
;-------------------------------------------
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}
;-------------------------------------------
I think that they are talking about the same thing, no?
Best Regards.
;-------------------------------------------
; NKritsky
; mailto:nkritsky@internethelp.ru
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: FreeBSD bugmaster: "Current problem reports assigned to you"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
