Re: Loopback security...

[Grant Taylor <gtaylor@riverviewtech.net>]

On 04/22/08 06:01, Leonardo Rodrigues Magalhães wrote:
> Are you sure you understand it right ??? What do you mean by 'linux 
> consider it secure' ?? do you mean it has no access control by 
> default ???? This happens with ALL linux network (logical and 
> phisical) ones. If you need access control on network level, then you 
> got iptables !!!

No, you mis-understood me.  What I meant by "Linux considers it secure" 
is that (by default) it will not let any traffic in to our out of the 
loopback interface from / to a different interface.  I.e. (presuming 
that a bind an additional subnet (192.0.2/24 ""Test network) to the 
loopback interface and set up another station to route to it via the 
static ip on the ethernet interface.

+---+                  +---+
| A +-- - - -  - - - --+ B |
+---+ .1 (10.0.0) .254 +---+

Suppose I bind 192.0.2.1 to A's loop back interface and add a route to 
192.0.2/24 to B via 10.0.0.1.  If I try to ping 192.0.2.1 from B, the 
traffic will leave B and go down the wire just like it should.  However 
my experience shows that A will not forward the traffic in to the 
loopback interface and destination IP.  Note:  This config is with all 
firewalling completely disabled and forwarding enabled.

Said another way, Linux will not allow foreign traffic (non localhost) 
on the loopback interface for security reasons.  I believe this to be a 
design decision based on security.

> What was the problem solved/workarounded ???? Tell us what happened 
> and maybe we'll tell you if using rinetd was a smart solution and, if 
> it's not, maybe give you other better workaround tips.

This is not an actual problem but rather a (theoretical) discussion on 
whether such is or is not possible to do with Linux.

> No seek and hide games .... tell us what's really your problem 
> please.

Again, this is not a game or a problem to solve, merely a question / 
discussion of "Is it possible..." to send traffic in to and / or out of 
the loopback interface.  If it is not possible (by default) is it 
possible to disable this built in / inherent security?

> Do you mean loopback interface to throw/receive traffic on your 
> phisical network, ie, ethernet cables ??? If this is your idea, it 
> goes against the whole loopback idea and i think it certainly cant be 
> done.

Yes, this is what I was asking.  I know and understand fully well why 
this generally is not done.  However I wanted to know if it is possible 
to throb some setting on the system to allow this to do be done against 
better advice.



Grant. . . .