Date: Sat, 2 Feb 2002 16:01:48 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Stefan `Sec` Zehl <sec@42.org> Cc: Ruslan Ermilov <ru@freebsd.org>, cvs-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/sys/netinet ip_output.c Message-ID: <20020202140147.GA71238@hades.hell.gr> In-Reply-To: <20020202123007.GA19270@matrix.42.org> References: <200202011042.g11Ag9U93410@freefall.freebsd.org> <20020202123007.GA19270@matrix.42.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2002-02-02 13:30, Stefan `Sec` Zehl wrote:
> On Fri, Feb 01, 2002 at 02:42:09AM -0800, Ruslan Ermilov wrote:
> > ru 2002/02/01 02:42:09 PST
> >
> > Modified files: (Branch: RELENG_4)
> > sys/netinet ip_output.c
> > Log:
> > MFC: 1.148: { 127, <any> } MUST NOT appear outside a host.
>
> Wouldn't preventing FreeBSD to receive 127.x from non-loopback
> interfaces make more sense than preventing to send it?
That's probably OK too. I've used a firewall for similar filtering
until now. For instance, packets from/to one of the address blocks
listed in RFC 1918 should never appear on my dialup interface.
Since the local configuration is not known to the kernel, filtering of
rfc1918 addresses can only be done with a firewall, but about loopback
interfaces you're right that ip_input() should probably be changed too.
Cheers,
--
Giorgos Keramidas . . . . . . . . . keramida@{ceid.upatras.gr,freebsd.org}
FreeBSD Documentation Project . . . http://www.freebsd.org/docproj/
FreeBSD: The power to serve . . . . http://www.freebsd.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020202140147.GA71238>