From owner-freebsd-stable@FreeBSD.ORG  Tue Mar  4 03:39:08 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9B3661065670;
	Tue,  4 Mar 2008 03:39:08 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org
	[IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc])
	by mx1.freebsd.org (Postfix) with ESMTP id E47168FC2A;
	Tue,  4 Mar 2008 03:39:07 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.14.2/8.14.1) with ESMTP id m243d3Oj079510;
	Tue, 4 Mar 2008 14:39:03 +1100 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200803040339.m243d3Oj079510@drugs.dv.isc.org>
To: "Chris H." <chris#@1command.com>
From: Mark Andrews <Mark_Andrews@isc.org>
In-reply-to: Your message of "Mon, 03 Mar 2008 19:15:41 -0800."
	<20080303191541.zo38uh036ogg8400@webmail.1command.com> 
Date: Tue, 04 Mar 2008 14:39:03 +1100
Sender: marka@isc.org
Cc: Jeremy Chadwick <koitsu@freebsd.org>, freebsd-stable@freebsd.org
Subject: Re: What's new on the 127.0.0/24 block in 7? 
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2008 03:39:08 -0000


> Hello Jeremy, and thank you for your reply.
> 
> Quoting Jeremy Chadwick <koitsu@freebsd.org>:
> 
> > On Mon, Mar 03, 2008 at 05:43:35PM -0800, Chris H. wrote:
> >> Greetings,
> >> I'm having some difficulty working with anything past 127.0.0.1.
> >> It seems impossible to use (create) any addresses on the "loopback"
> >> past 127.0.0.1.
> >> More specifically; I installed rbldnsd from ports, and it worked quite
> >> well on a 6.x install. However, attempting the same config/install on
> >> a 7-RC3 install yields the inability to bind/create 127.0.0.2, or
> >> 127.0.0.3 for rbldnsd to answer on - all queries are refused. The
> >> same pinging/digging, etc.
> >>
> >> The 2 servers have /exactly/ the same net setups, and DNS/rbldnsd
> >> configs. Yet no joy on the RELENG_7 box. So it /appears/ something
> >> in this area has changed since 6. But I'm unable to discover any
> >> info on it.
> >
> > I've looked at this software: http://www.corpit.ru/mjt/rbldnsd.html
> >
> > Why exactly do you need this software to bind to 127.0.0.2 or 127.0.0.3?
> > I don't see any indication of it needing that.  DNS-based RBLs don't
> > work like that, so I'm confused by this request.
> 
> OK Here, the scoop. I "bind" rbldnsd to one of my IRIP's (Internet
> Routable IP's). Requests can be made against /my/ blocklist @ my IRIP.
> Then, should there be a match, the answer is IN A 127.0.0.2 evil host
> yadda, yadda...
> 
> This, unless an NON internet Routable address from a /private/ block
> is used, is the general way to best accomplish this.
>
> BTW, as I mentioned in my original post; this setup/config worked
> /perfectly/ on a recent RELENG_6 server.
> NOTE: there are no ifconfig, or ifconfig_alias's in either server'
> rc.conf /other/ than:
> 
> ifconfig_lo0="inet 127.0.0.1"

	I suggest that you look again.  There is nothing in 6.x
	that automatically configures anything except 127.0.0.1 on
	lo0.
 
> in /etc/default/rc.conf on /both/ servers. Yet, for some reason
> the 6.x server provides 127.0.0/24 without question.

	By default 6.x will configure lo0 as 127.0.0.1/8.

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
	inet 127.0.0.1 netmask 0xff000000 
	inet 10.53.0.1 netmask 0xffffffff 
	inet 10.53.0.2 netmask 0xffffffff 
	inet 10.53.0.3 netmask 0xffffffff 
	inet 10.53.0.4 netmask 0xffffffff 
	inet 10.53.0.5 netmask 0xffffffff 
	inet 10.53.0.6 netmask 0xffffffff 
	inet 10.53.0.7 netmask 0xffffffff 
	inet 127.0.0.2 netmask 0xffffffff 
	inet 127.0.0.3 netmask 0xffffffff 

ifconfig_lo0_alias0="inet 10.53.0.1 netmask 0xffffffff"
ifconfig_lo0_alias1="inet 10.53.0.2 netmask 0xffffffff"
ifconfig_lo0_alias2="inet 10.53.0.3 netmask 0xffffffff"
ifconfig_lo0_alias3="inet 10.53.0.4 netmask 0xffffffff"
ifconfig_lo0_alias4="inet 10.53.0.5 netmask 0xffffffff"
ifconfig_lo0_alias5="inet 10.53.0.6 netmask 0xffffffff"
ifconfig_lo0_alias6="inet 10.53.0.7 netmask 0xffffffff"
ifconfig_lo0_alias7="inet 127.0.0.2 netmask 0xffffffff"
ifconfig_lo0_alias8="inet 127.0.0.3 netmask 0xffffffff"

	I actually use lots of test addresses.

	Mark

> The 7 server with /identical/ setup, will only provide 127.0.0.1.
> 
> I hope I have been more concise this time.
> 
> Thank you very much for taking the time to respond.
> 
> --Chris H
> 
> >
> > The software acts as "dumb" DNS server that returns specific IP
> > addresses when certain zones are resolved.  postfix, sendmail, or any
> > other MTA will attempt DNS resolution of a hostname (at whatever stage
> > of the SMTP transaction).  You tell the MTA to use whatever.blah.com as
> > a dnsbl, and the MTA will execute a resolver query to whatever.blah.com
> > for a specific hostname.  The resolver (rbldnsd) will answer for a
> > hostname with a specific IP address (per the configuration file); each
> > IP address returned can be used for a unique purpose, e.g. 127.0.0.2
> > could mean "SOCKS proxy; denied", while 127.0.0.99 could mean "Known
> > hijacked network".
> >
> > There's a common list used here:
> >
> > http://www.netwidget.net/books/apress/dns/info/dnsbl.htm; see section
> > "127/8 Return Codes".
> >
> > If, for some bizarre reason, you REALLY DO need multiple loopback
> > addresses, it works fine, as confirmed on my RELENG_7 box:
> >
> > icarus# ifconfig lo0 inet 127.0.0.2 netmask 255.255.255.255 alias
> > icarus# ifconfig lo0
> > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> >        inet 127.0.0.1 netmask 0xff000000
> >        inet 127.0.0.2 netmask 0xffffffff
> > icarus# ping 127.0.0.2
> > PING 127.0.0.2 (127.0.0.2): 56 data bytes
> > 64 bytes from 127.0.0.2: icmp_seq=0 ttl=64 time=0.022 ms
> > 64 bytes from 127.0.0.2: icmp_seq=1 ttl=64 time=0.012 ms
> > ^C
> > --- 127.0.0.2 ping statistics ---
> > 2 packets transmitted, 2 packets received, 0.0% packet loss
> > round-trip min/avg/max/stddev = 0.012/0.017/0.022/0.005 ms
> >
> >
> > --
> > | Jeremy Chadwick                                    jdc at parodius.com |
> > | Parodius Networking                           http://www.parodius.com/ |
> > | UNIX Systems Administrator                      Mountain View, CA, USA |
> > | Making life hard for others since 1977.                  PGP: 4BD6C0CB |
> >
> > _______________________________________________
> > freebsd-stable@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
> >
> 
> 
> 
> -- 
> panic: kernel trap (ignored)
> 
> 
> 
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org