From owner-freebsd-stable  Mon Feb  4  7: 8:47 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from voyager.straynet.com (voyager.straynet.com [208.185.24.8])
	by hub.freebsd.org (Postfix) with ESMTP
	id 95C4337B421; Mon,  4 Feb 2002 07:08:42 -0800 (PST)
Received: by voyager.straynet.com (Postfix, from userid 1001)
	id 336BD20699; Mon,  4 Feb 2002 10:07:22 -0500 (EST)
Received: from localhost (localhost [127.0.0.1])
	by voyager.straynet.com (Postfix) with ESMTP
	id 2447C18C97; Mon,  4 Feb 2002 10:07:22 -0500 (EST)
Date: Mon, 4 Feb 2002 10:07:22 -0500 (EST)
From: Greg Prosser <greg@straynet.com>
X-X-Sender:  <xyst@voyager.straynet.com>
Reply-To: Greg Prosser <greg@straynet.com>
To: "Jacques A. Vidrine" <n@nectar.cc>
Cc: Mike Tancsa <mike@sentex.net>, Ruslan Ermilov <ru@FreeBSD.ORG>,
	<stable@FreeBSD.ORG>, Warner Losh <imp@FreeBSD.ORG>
Subject: Re: dropping 127.* on the floor
In-Reply-To: <20020204143758.GA28243@madman.nectar.cc>
Message-ID: <20020204100307.F12914-100000@voyager.straynet.com>
X-Sysadmin-Nolife: True
X-BOFH: Yes
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

on Mon, 4 Feb 2002, Jacques A. Vidrine babbled ..

;; On Mon, Feb 04, 2002 at 09:29:08AM -0500, Mike Tancsa wrote:
;; > At 08:12 AM 2/4/02 -0600, Jacques A. Vidrine wrote:
;; >
;; > >See the Bugtraq archives for the thread starting with Message-ID:
;; > ><3AA3ECAB.EA826D28@thebunker.net>, subject ``Loopback and multi-homed
;; > >routing flaw in TCP/IP stack.'' for the reasons behind this change.
;; > >The following URL might work.
;; > >
;; > ><URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=3AA3ECAB.EA826D28@thebunker.net>
;; >
;; > What if this were dealt as part of firewall rules ?  i.e. GENERIC was built
;; > by default with IPFIREWALL and firewall_enable="YES" and
;; > firewall_type="OPEN" were set. That way the behavior that people have come
;; > to rely on is still there for those that need it.
;; >
;; > I have not tested this yet with my production transparent proxies but I
;; > will try so later today to see if the behavior is broken as a number of
;; > people have reported.
;;
;; We are talking about two different things: ip_input.c and ip_output.c.
;; The recent change to ip_output.c is what might break your transparent
;; proxy.  Above I am talking about the year-old change to ip_input.c.

According to the squid FAQ[1], they recommend using ipfw fwd rules
diverting traffic to 127.0.0.1 to transparently insert the cache server.
This behaviour is now broken, as ipfw rewrites the packet before it hits
the network stack, as does ipf, and both end up dropped.  I've tested and
confirmed this on 4.5-STABLE, the rules in the FAQ did not work for me.

-gnp

[1] squid FAQ URL: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.8


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message