Re: source & destination 127.0.0.2 ?

From: Wojtek Walczak (gminick@hacker.pl)
Date: 03/13/03


From: Wojtek Walczak <gminick@hacker.pl>
Date: Thu, 13 Mar 2003 16:09:16 +0000 (UTC)

Dnia Thu, 13 Mar 2003 15:01:56 +0100, Henri Schomäcker napisa³(a):
>> Your computer (well, to be exact - your local interface) knows this IP.
>> In example, for lo interface (which is a special device defined in the
>> kernel) 127.254.254.254 is equal to 127.0.0.1 (as long as netmask for
>> lo is 255.0.0.0).
> Many thanks, this was great information!
You're welcome ;)

> But there's one question I still have:
> Is just 127.0.0.2 assigned to the loopback interface or are these IPs
> generated by request and are there more of these IPs?
It depends on netmask for an interface. You can read it from ifconfig:

# ifconfig lo
lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:132 errors:0 dropped:0 overruns:0 frame:0
          TX packets:132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10564 (10.3 Kb) TX bytes:10564 (10.3 Kb)

Netmask for lo is 255.0.0.0. Since local interface is a bit special,
every IP in range 127.0.0.0/255.0.0.0 (or, in short form: 127.0.0.0/8)
means your host. 127.0.0.0/8 marks every ip in ranges: 127.0-255.0-255.0-255.
So as long as you're using loopback interface and your netmask is
equal to 255.0.0.0 (I haven't been trying to change it and I'm not sure
how will a Linux system react in case of changing netmasks) every IP address
looking like 127.x.x.x where x is a number from 0 to 255 is targeting the
same location(yourself) as 127.0.0.1 is.

> How to deal with the loopback interface in the firewall then?
IMHO you do not have to. You can't receive a packet with src_ip=127.0.0.1
_to you_ _from the internet_, because these are unroutable. If router
recives a packet with source_ip=127.0.0.0/8 it destroys this packet.
To be sure I tried sending three packets with source_ip=127.0.0.1
to a sever working eight routers farther and all of those three packets
were silently killed by some (I suppose - the first one) router.
Within your LAN the situation can be a little bit different if there's
no router which can drop strange packets. Maybe in that case it isn't
too bad to block/drop packets coming to your ethernet interface with
src_ip = 127.0.0.0/8. So, if there's a possibility of an attack (only
DoS comes to mind at the momment) from LAN then you should block whole
loopback net which is 127.0.0.0/8 (it marks any address from a range
I've mentioned above).

HTH.

-- 
[ Wojtek Walczak - gminick (at) underground.org.pl ]
[        <http://gminick.linuxsecurity.pl/>        ]
[ "...rozmaite zwroty, matowe od patyny dawnosci." ]