Date: Wed, 13 Feb 2002 09:35:02 +0100 (CET) From: Attila Nagy <bra@fsn.hu> To: Michael Meltzer <mjm@michaelmeltzer.com> Cc: Ruslan Ermilov <ru@FreeBSD.ORG>, <stable@FreeBSD.ORG> Subject: Re: 127/8 in ip_output.c Message-ID: <Pine.LNX.4.44.0202130930060.21764-100000@scribble.fsn.hu> In-Reply-To: <00c701c1b3f3$169409f0$34f820c0@ix1x1000>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, > http://www.obfuscation.org/ipf/ipf-howto.txt about page 28+- Besides that I often use jail to separate different services on the same machine. For this task I like to use addresses from the 127/8 range and bind the jails to those on the lo0 interface. For a shell jail I can run this on 127.0.0.5 with a RDR line in /etc/ipnat.rules: rdr fxp0 1.2.3.4/32 port 22 -> 127.0.0.5 port 22 And if users want to connect out from this jail I specify a: map fxp0 127.0.0.5/32 -> 1.2.3.4/32 as you can see this way I don't use 127/8 addresses on external interfaces, but the current behaviour stops this, because it sees the traffic before IPF can NAT the packages, so it deny the 127.0.0.5. I think this is not a breakage of the RFC, since I use 127/8 *internally* for an internal network (that's what 127/8 is for) and FreeBSD denies it to work. I think it should be very good to give a sysctl for setting this... Thanks, -------------------------------------------------------------------------- Attila Nagy e-mail: Attila.Nagy@fsn.hu Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.44.0202130930060.21764-100000>