Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 6 Jun 2000 02:35:42 +0200 (CEST)
From:      Stefan `Sec` Zehl <sec@42.org>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/19048: localhost can be accessed via the network
Message-ID:  <200006060035.CAA11698@matrix.42.org>
next in thread | raw e-mail | index | archive | help 

>Number:         19048
>Category:       kern
>Synopsis:       localhost can be accessed via the network
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 05 17:40:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Stefan `Sec` Zehl
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
>Environment:

FreeBSD machine with ethernet.

>Description:

I'm not sure wether this is a real bug. This is more of a question if this
should be changed.

You can access listening demons bound to localhost from another machine
on the same ip subnet. Some people do not expect this. :)

>How-To-Repeat:

I'm on my host 'yoda'

| yoda:~#telnet 127.0.0.1
| Trying 127.0.0.1...
| Connected to localhost.
| Escape character is '^]'.
| 
| FreeBSD/i386 (yoda) (ttypa)
| 
| login:
| telnet> q
| Connection closed.

I modify the routes a bit...

| yoda:~#route delete -host 127.0.0.1
| delete host 127.0.0.1

| yoda:~#route add -host 127.0.0.1 -gateway kenobi
| add host 127.0.0.1

Now localhost is somewhere else :)

| yoda:~#telnet 127.0.0.1
| Trying 127.0.0.1...
| Connected to localhost.
| Escape character is '^]'.
| 
| FreeBSD/i386 (kenobi) (ttype)
| 
| login:
| telnet> q
| Connection closed.

I even tried it with program listening only on localhost:8888 on kenobi

| yoda:~#telnet 127.0.0.1 8888
| Trying 127.0.0.1...
| Connected to localhost.
| Escape character is '^]'.
| Hallo, hier ist kenobi-localhost
| Connection closed by foreign host.

Of course this usually doesn't matter because if you have bad guys on your
ethernet, you usually have worse problems already :)

But quite some people expect programs listening on localhost to be only
accessible from localhost.

>Fix:
	
filter 127/8 somewhere in the kernel?

if this is not deemed right, you can of course use ipfilter / ipfw to block
these packets.

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006060035.CAA11698>