Re: Question: Iptables -- 127.0.0.1

---

• From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
• Date: Wed, 03 May 2006 14:52:46 -0500

---

On Wed, 03 May 2006, in the Usenet newsgroup comp.os.linux.security, in article
<slrne5hinu.rq0.ibuprofin@xxxxxxxxxxxxxxxxx>, I wrote:

[List of RFCs]

1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995.
(Format: TXT=415740 bytes) (Obsoletes RFC1716, RFC1009) (Updated by
RFC2644) (Status: PROPOSED STANDARD)

Section 4.2.2.11 (e) also lists 127.0.0.0/8. See also section 5.3.7, which
says:

5.3.7 Martian Address Filtering

An IP source address is invalid if it is a special IP address, as
defined in 4.2.2.11 or 5.3.7, or is not a unicast address.

An IP destination address is invalid if it is among those defined as
illegal destinations in 4.2.3.1, or is a Class E address (except
255.255.255.255).

A router SHOULD NOT forward any packet that has an invalid IP source
address or a source address on network 0. A router SHOULD NOT
forward, except over a loopback interface, any packet that has a
source address on network 127. A router MAY have a switch that
allows the network manager to disable these checks. If such a switch
is provided, it MUST default to performing the checks.

If a router discards a packet because of these rules, it SHOULD log
at least the IP source address, the IP destination address, and, if
the problem was with the source address, the physical interface on
which the packet was received and the Link Layer address of the host
or router from which the packet was received.

Not that this is a "SHOULD NOT", rather than a "MUST NOT". See section
1.2.2 of RFC1812 if you aren't familiar with what those terms are meant
to be interpreted as.

Now, the next question is if your perimeter routers comply with this
requirement. Not all do, because there is a cost in CPU cycles. Oh, and
you'll also want to read section 5.3.8 of this document as well.

Old guy

.

---

• References:
  • Question: Iptables -- 127.0.0.1
    • From: Carlos Moreno
  • Re: Question: Iptables -- 127.0.0.1
    • From: Moe Trin

• Prev by Date: Re: Flaw found in X window code etc report
• Next by Date: Re: physical security and data encryption
• Previous by thread: Re: Question: Iptables -- 127.0.0.1
• Next by thread: IPS - signature detection - query
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: hardware vs software firewall ... > I understand that a hardware router basically manages the network layer, ... A router is responsible for forwarding ... packet filters, because both functions operate on the same level. ... (comp.security.firewalls) Re: hardware vs software firewall ... > I understand that a hardware router basically manages the network layer, ... A router is responsible for forwarding ... packet filters, because both functions operate on the same level. ... (comp.security.firewalls) Re: Need to make TCP/IP really slooooow ... >should implement a router. ... different network numbers). ... router is stateless - it handles each IP packet independently, ... and is unaware of the higher-level protocol and its ... (comp.os.linux.development.system) Re: Problem setting up a small network ... I guess one of the things you didn't consider it that the router will also ... Along with that if he does have a hub and not a switch then he may have ... week and downloaded and ran Ethereal, a free packet sniffer he recommends. ... "The evidence pointed to a problem in the network ... (microsoft.public.windowsxp.general) Re: Nmap questions concering my router ... >>interface can only have assigned ip address and no more. ... > network services externally where the server is on am internal host. ... If someone connected to port 80 on your router, ... If you send a packet to ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)