Re: source & destination 127.0.0.2 ?

From: Wojtek Walczak (gminick@hacker.pl)
Date: 03/13/03


From: Wojtek Walczak <gminick@hacker.pl>
Date: Thu, 13 Mar 2003 16:09:16 +0000 (UTC)

Dnia Thu, 13 Mar 2003 15:01:56 +0100, Henri Schomäcker napisa³(a):
>> Your computer (well, to be exact - your local interface) knows this IP.
>> In example, for lo interface (which is a special device defined in the
>> kernel) 127.254.254.254 is equal to 127.0.0.1 (as long as netmask for
>> lo is 255.0.0.0).
> Many thanks, this was great information!
You're welcome ;)

> But there's one question I still have:
> Is just 127.0.0.2 assigned to the loopback interface or are these IPs
> generated by request and are there more of these IPs?
It depends on netmask for an interface. You can read it from ifconfig:

# ifconfig lo
lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:132 errors:0 dropped:0 overruns:0 frame:0
          TX packets:132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10564 (10.3 Kb) TX bytes:10564 (10.3 Kb)

Netmask for lo is 255.0.0.0. Since local interface is a bit special,
every IP in range 127.0.0.0/255.0.0.0 (or, in short form: 127.0.0.0/8)
means your host. 127.0.0.0/8 marks every ip in ranges: 127.0-255.0-255.0-255.
So as long as you're using loopback interface and your netmask is
equal to 255.0.0.0 (I haven't been trying to change it and I'm not sure
how will a Linux system react in case of changing netmasks) every IP address
looking like 127.x.x.x where x is a number from 0 to 255 is targeting the
same location(yourself) as 127.0.0.1 is.

> How to deal with the loopback interface in the firewall then?
IMHO you do not have to. You can't receive a packet with src_ip=127.0.0.1
_to you_ _from the internet_, because these are unroutable. If router
recives a packet with source_ip=127.0.0.0/8 it destroys this packet.
To be sure I tried sending three packets with source_ip=127.0.0.1
to a sever working eight routers farther and all of those three packets
were silently killed by some (I suppose - the first one) router.
Within your LAN the situation can be a little bit different if there's
no router which can drop strange packets. Maybe in that case it isn't
too bad to block/drop packets coming to your ethernet interface with
src_ip = 127.0.0.0/8. So, if there's a possibility of an attack (only
DoS comes to mind at the momment) from LAN then you should block whole
loopback net which is 127.0.0.0/8 (it marks any address from a range
I've mentioned above).

HTH.

-- 
[ Wojtek Walczak - gminick (at) underground.org.pl ]
[        <http://gminick.linuxsecurity.pl/>        ]
[ "...rozmaite zwroty, matowe od patyny dawnosci." ]


Relevant Pages

  • RE: Cisco IOS vulnerability
    ... You are vulnerable unless you have deny statement which blocks all ... packets other than say ICMP or IPSEC coming to the router interface ... Even though the packets targeted *at* the routers interface is only ...
    (Incidents)
  • Terminal Server Setup
    ... description GRE Tunnel Source Interface ... input packets with dribble condition detected ... output buffer failures, ... Serial1/0 is up, line protocol is up ...
    (comp.dcom.sys.cisco)
  • Re: Smoothwall may not be forwarding port 80
    ... On the red interface is an adsl router. ... PORT STATE SERVICE ... dropping the packets, or that the forwarding does not work correctly. ...
    (comp.security.firewalls)
  • Re: Tuning ADSL lines on Ciscos roputer - LONG -
    ... Last clearing of "show interface" counters never ... minute input rate 0 bits/sec, ... input packets with dribble condition detected ... output buffer failures, ...
    (comp.dcom.sys.cisco)
  • Re: Nmap questions concering my router
    ... It's a bit off topic - but down at the Ethernet level, the packets are ... so your router masquerades for you. ... it may differ from other applications - we just send data to a network ... >> the Ethernet header is the MAC address of the 10.0.0.138 interface. ...
    (comp.security.firewalls)