From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Loopback security...
Date: Tue, 22 Apr 2008 18:04:50 +0200 [thread overview]
Message-ID: <480E0CA2.2030902@plouf.fr.eu.org> (raw)
In-Reply-To: <480DF156.5060801@riverviewtech.net>
Hello,
Grant Taylor a écrit :
>
> No, you mis-understood me. What I meant by "Linux considers it secure"
> is that (by default) it will not let any traffic in to our out of the
> loopback interface from / to a different interface.
There is no such traffic forwarded between the loopback interface and
another interface, because it just makes no sense. The loopback is
designed for local host communications : all that is sent through it is
received back by the host, and all that is received through it was sent
by the host.
> +---+ +---+
> | A +-- - - - - - - --+ B |
> +---+ .1 (10.0.0) .254 +---+
>
> Suppose I bind 192.0.2.1 to A's loop back interface and add a route to
> 192.0.2/24 to B via 10.0.0.1. If I try to ping 192.0.2.1 from B, the
> traffic will leave B and go down the wire just like it should. However
> my experience shows that A will not forward the traffic in to the
> loopback interface and destination IP.
Of course not. Why would it ? The destination is local (see 'ip route
show table local'), and is treated just as any other local destination
like 10.0.0.1. Traffic is forwarded only when the destination is remote.
> Said another way, Linux will not allow foreign traffic (non localhost)
> on the loopback interface for security reasons. I believe this to be a
> design decision based on security.
I believe it is rather based on common sense.
next prev parent reply other threads:[~2008-04-22 16:04 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-22 2:05 Loopback security Grant Taylor
2008-04-22 11:01 ` Leonardo Rodrigues Magalhães
2008-04-22 14:08 ` Grant Taylor
2008-04-22 16:04 ` Pascal Hambourg [this message]
2008-04-22 19:43 ` Grant Taylor
2008-04-23 10:51 ` Pascal Hambourg
2008-04-25 20:00 ` Grant Taylor
2008-04-22 20:51 ` Petr Pisar
2008-04-23 9:31 ` Pascal Hambourg
2008-04-23 9:45 ` Leonardo Rodrigues Magalhães
2008-04-22 16:50 ` Leonardo Rodrigues Magalhães
2008-04-22 20:07 ` Grant Taylor
2008-04-22 20:25 ` Leonardo Rodrigues Magalhães
2008-04-23 0:38 ` Grant Taylor
2008-04-23 9:07 ` Pascal Hambourg
2008-04-23 9:44 ` Pascal Hambourg
2008-04-22 19:48 ` Jan Engelhardt
2008-04-22 20:16 ` Grant Taylor
2008-04-23 15:22 ` Jan Engelhardt
2008-04-25 20:11 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=480E0CA2.2030902@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox