From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Loopback security...
Date: Tue, 22 Apr 2008 09:08:22 -0500 [thread overview]
Message-ID: <480DF156.5060801@riverviewtech.net> (raw)
In-Reply-To: <480DC570.80303@solutti.com.br>
On 04/22/08 06:01, Leonardo Rodrigues Magalhães wrote:
> Are you sure you understand it right ??? What do you mean by 'linux
> consider it secure' ?? do you mean it has no access control by
> default ???? This happens with ALL linux network (logical and
> phisical) ones. If you need access control on network level, then you
> got iptables !!!
No, you mis-understood me. What I meant by "Linux considers it secure"
is that (by default) it will not let any traffic in to our out of the
loopback interface from / to a different interface. I.e. (presuming
that a bind an additional subnet (192.0.2/24 ""Test network) to the
loopback interface and set up another station to route to it via the
static ip on the ethernet interface.
+---+ +---+
| A +-- - - - - - - --+ B |
+---+ .1 (10.0.0) .254 +---+
Suppose I bind 192.0.2.1 to A's loop back interface and add a route to
192.0.2/24 to B via 10.0.0.1. If I try to ping 192.0.2.1 from B, the
traffic will leave B and go down the wire just like it should. However
my experience shows that A will not forward the traffic in to the
loopback interface and destination IP. Note: This config is with all
firewalling completely disabled and forwarding enabled.
Said another way, Linux will not allow foreign traffic (non localhost)
on the loopback interface for security reasons. I believe this to be a
design decision based on security.
> What was the problem solved/workarounded ???? Tell us what happened
> and maybe we'll tell you if using rinetd was a smart solution and, if
> it's not, maybe give you other better workaround tips.
This is not an actual problem but rather a (theoretical) discussion on
whether such is or is not possible to do with Linux.
> No seek and hide games .... tell us what's really your problem
> please.
Again, this is not a game or a problem to solve, merely a question /
discussion of "Is it possible..." to send traffic in to and / or out of
the loopback interface. If it is not possible (by default) is it
possible to disable this built in / inherent security?
> Do you mean loopback interface to throw/receive traffic on your
> phisical network, ie, ethernet cables ??? If this is your idea, it
> goes against the whole loopback idea and i think it certainly cant be
> done.
Yes, this is what I was asking. I know and understand fully well why
this generally is not done. However I wanted to know if it is possible
to throb some setting on the system to allow this to do be done against
better advice.
Grant. . . .
next prev parent reply other threads:[~2008-04-22 14:08 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-22 2:05 Loopback security Grant Taylor
2008-04-22 11:01 ` Leonardo Rodrigues Magalhães
2008-04-22 14:08 ` Grant Taylor [this message]
2008-04-22 16:04 ` Pascal Hambourg
2008-04-22 19:43 ` Grant Taylor
2008-04-23 10:51 ` Pascal Hambourg
2008-04-25 20:00 ` Grant Taylor
2008-04-22 20:51 ` Petr Pisar
2008-04-23 9:31 ` Pascal Hambourg
2008-04-23 9:45 ` Leonardo Rodrigues Magalhães
2008-04-22 16:50 ` Leonardo Rodrigues Magalhães
2008-04-22 20:07 ` Grant Taylor
2008-04-22 20:25 ` Leonardo Rodrigues Magalhães
2008-04-23 0:38 ` Grant Taylor
2008-04-23 9:07 ` Pascal Hambourg
2008-04-23 9:44 ` Pascal Hambourg
2008-04-22 19:48 ` Jan Engelhardt
2008-04-22 20:16 ` Grant Taylor
2008-04-23 15:22 ` Jan Engelhardt
2008-04-25 20:11 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=480DF156.5060801@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox