Date: Wed, 13 Feb 2002 13:23:13 -0500 From: "Michael Meltzer" <mjm@michaelmeltzer.com> To: "Ruslan Ermilov" <ru@FreeBSD.ORG>, "Attila Nagy" <bra@fsn.hu> Cc: <stable@FreeBSD.ORG> Subject: Re: 127/8 in ip_output.c Message-ID: <03f401c1b4bb$7f97bfa0$34f820c0@ix1x1000> References: <00c701c1b3f3$169409f0$34f820c0@ix1x1000> <Pine.LNX.4.44.0202130930060.21764-100000@scribble.fsn.hu> <01a701c1b33c$733b99a0$34f820c0@ix1x1000> <20020212141520.A8237@sunbay.com> <00c701c1b3f3$169409f0$34f820c0@ix1x1000> <20020213105442.A46245@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I try it out tonight, head good things about it already, ThankYou. For what is worth, it seems the problem he is really a routing table issue, it seem that on FreeBSD-stable (without the code) if you where trying to ping 127.0.0.2 (which is not defined) the message goes out the default route, which is a bad thing :-) but by adding "route add -net 127.0.0.0 127.0.0.1 255.0.0.0" which cleaned this up nicely and BTW is how most interfaces handle unknow local networks hosts :-) I am sure that thier is a problem doing this (never seen local host route the address 127.* space, :-) but ..... MJM ----- Original Message ----- From: "Ruslan Ermilov" <ru@FreeBSD.ORG> To: "Michael Meltzer" <mjm@michaelmeltzer.com>; "Attila Nagy" <bra@fsn.hu> Cc: <stable@FreeBSD.ORG> Sent: Wednesday, February 13, 2002 3:54 AM Subject: Re: 127/8 in ip_output.c > OK, got it. Let me know if the attached patch fixes the problem for IPF. > > On Tue, Feb 12, 2002 at 01:28:37PM -0500, Michael Meltzer wrote: > > http://www.obfuscation.org/ipf/ipf-howto.txt about page 28+- > > > > I do not use squid but, http://www.squid-cache.org/Doc/FAQ/FAQ-17.html, the > > freebsd section uses the 127.* game > > > > http://cr.yp.to/djbdns/faq/cache.html#mixnmatch , it the 127.* trick again, > > and if you want to services the inside address you need a rdr from the > > inside ip to 127. > > > > > > The point is this is too strong a position on the issue, maybe you want a > > sysctl around it, not unheard of for network RFC's. But frankly you are > > trying to build firewall functionality into the kernel when most people > > expect it in their ipf rule set. Worst let there rules set will look right > > when they try to open it up and led to "craziness/frustration/very bad > > works" when it does not work as excepted or meet their expectation about > > what is happening. I been doing things like this on Solaris /FreeBSD for > > years to solve network problems. > > > > MJM > > > > PS. what is the view of the "group"? > > > > ----- Original Message ----- > > From: "Ruslan Ermilov" <ru@FreeBSD.ORG> > > To: "Michael Meltzer" <mjm@michaelmeltzer.com> > > Cc: <stable@FreeBSD.ORG> > > Sent: Tuesday, February 12, 2002 7:15 AM > > Subject: Re: 127/8 in ip_output.c > > > > > > > On Mon, Feb 11, 2002 at 03:41:15PM -0500, Michael Meltzer wrote: > > > > > > > > I just got caught by block of all 127/8 in ip_output.c, At this point > > > > I have recompiled my system to remove it but frankly I think it > > should > > > > be removed from the OS, What happened it the it took out djbdsn along > > > > with IPF, now those system where configured based on their respective > > > > HOWTO's. Unless someone wants to start changing all the HOWTO's this > > > > is asking for trouble. This is not nice, Luckily I knew how to code, > > > > where to look and compile a kernel, think everyone who uses FreeBSD > > > > will be so luckily. The RFC what to prevent 127/8 from leveling the > > > > box, but could it be done not to breaking the tools. > > > > > > > Could you please forward me a reference to this HOWTO? > > > > > > > > > Cheers, > > > -- > > > Ruslan Ermilov Sysadmin and DBA, > > > ru@sunbay.com Sunbay Software AG, > > > ru@FreeBSD.org FreeBSD committer, > > > +380.652.512.251 Simferopol, Ukraine > > > > > > http://www.FreeBSD.org The Power To Serve > > > http://www.oracle.com Enabling The Information Age > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-stable" in the body of the message > > On Wed, Feb 13, 2002 at 09:35:02AM +0100, Attila Nagy wrote: > > Hello, > > > > > http://www.obfuscation.org/ipf/ipf-howto.txt about page 28+- > > Besides that I often use jail to separate different services on the same > > machine. > > For this task I like to use addresses from the 127/8 range and bind the > > jails to those on the lo0 interface. > > > > For a shell jail I can run this on 127.0.0.5 with a RDR line in > > /etc/ipnat.rules: > > rdr fxp0 1.2.3.4/32 port 22 -> 127.0.0.5 port 22 > > > > And if users want to connect out from this jail I specify a: > > map fxp0 127.0.0.5/32 -> 1.2.3.4/32 > > > > as you can see this way I don't use 127/8 addresses on external > > interfaces, but the current behaviour stops this, because it sees the > > traffic before IPF can NAT the packages, so it deny the 127.0.0.5. > > > > I think this is not a breakage of the RFC, since I use 127/8 *internally* > > for an internal network (that's what 127/8 is for) and FreeBSD denies it > > to work. > > > > I think it should be very good to give a sysctl for setting this... > > > > Thanks, > > -------------------------------------------------------------------------- > > Attila Nagy e-mail: Attila.Nagy@fsn.hu > > Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) > > H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 > > > -- > Ruslan Ermilov Sysadmin and DBA, > ru@sunbay.com Sunbay Software AG, > ru@FreeBSD.org FreeBSD committer, > +380.652.512.251 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03f401c1b4bb$7f97bfa0$34f820c0>