Re: Block martians with source address 127.0.0.1

• Previous message: Bjørn Rasmussen: "Re: Martians?"
• In reply to: Cedric Blancher: "Re: Block martians with source address 127.0.0.1"
• Next in thread: Bjørn Rasmussen: "Re: Block martians with source address 127.0.0.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Cedric Blancher <blancher@cartel-securite.fr>
Date: Tue, 01 Jun 2004 13:48:42 +0200

man, 31.05.2004 kl. 17.30 skrev Cedric Blancher:
> Le lun 31/05/2004 à 12:55, Bjørn Rasmussen a écrit :
> > The kernel on the firewall logs these packets as martians which it
> > should do, but my rules will not log or block these packets. Anybody
> > who knows how to do it? Is it possible? I guess there are situations
> > were malicious persons could at least perform a DoS-attack?
>
> As a general rule, when a Linux box receive a packet sourced with one of
> its adresses, it is silently discarded at routing process. So your INPUT
> stuff should not see the packet coming.

And this is true even rp_filter is disabled, right?

And you mean it's not seen by the INPUT chain, because it is seen by
tcpdump on the receiving interface (response of "nmap -e eth0 -S
127.0.0.1 192.168.10.1" from LAN-client to internal fw-if):

11:09:03.073754 192.168.10.5 > 192.168.10.1: icmp: echo request
11:09:03.073807 127.0.0.1.59710 > 192.168.10.1.http: . ack 3695741918
win 4096
11:09:08.067981 arp who-has 192.168.10.1 tell 192.168.10.5
11:09:08.068058 arp reply 192.168.10.1 is-at 0:60:94:51:4b:e4
11:09:09.088065 127.0.0.1 > 192.168.10.1: icmp: echo request
11:09:09.088118 127.0.0.1.59711 > 192.168.10.1.http: . ack 1665698846
win 1024

Then trying to block 127.0.0.1 make no sense?

> Furthermore, if reverse path filtering (rp_filter) is enabled, then
> martians are automaticly discarded, before they get to INPUT or FORWARD.

Sorry, I forgot to tell you that I disabled the rp_filter, since I use
FreeS/WAN.

• Previous message: Bjørn Rasmussen: "Re: Martians?"
• In reply to: Cedric Blancher: "Re: Block martians with source address 127.0.0.1"
• Next in thread: Bjørn Rasmussen: "Re: Block martians with source address 127.0.0.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Block martians with source address 127.0.0.1 ... Sometimes> martians arrive from the Internet with source address 127.0.0.1. ... I want> to block these packets, but I don't find any way to set up the rules to> accomplish this. ... > Normally I use "fwbuilder" to set up my rules, but since the martians> were not blocked by the spoofing-rules generated by "fwbuilder", I tried> a simple test using iptables-commands directly. ... > The kernel on the firewall logs these packets as martians which it> should do, but my rules will not log or block these packets. ... (Focus-Linux) Re: Block martians with source address 127.0.0.1 ... >> martians arrive from the Internet with source ... > Pretty common use of spoofed packets. ... Try the all-new Yahoo! ... (Focus-Linux) Re: Block martians with source address 127.0.0.1 ... > martians arrive from the Internet with source ... Pretty common use of spoofed packets. ... > The kernel on the firewall logs these packets as ... (Focus-Linux) Re: Block martians with source address 127.0.0.1 ... > The kernel on the firewall logs these packets as martians which it ... but my rules will not log or block these packets. ... martians are automaticly discarded, before they get to INPUT or FORWARD. ... I'm your friendly neighbourhood signature virus. ... (Focus-Linux) Block martians with source address 127.0.0.1 ... I've firewall connected to the Internet via an ISDN-line. ... Normally I use "fwbuilder" to set up my rules, but since the martians ... The kernel on the firewall logs these packets as martians which it ... (Focus-Linux)