[431] in linux-net channel archive
possible bug in IP-forwarding
daemon@ATHENA.MIT.EDU (Herbert Rosmanith)
Wed Jun 7 22:55:39 1995
From: Herbert Rosmanith <herp@wildsau.idv.uni-linz.ac.at>
To: linux-net@vger.rutgers.edu
Date: Thu, 8 Jun 1995 03:33:37 +0200 (MET DST)
Cc: hanusch@edvz.uni-linz.ac.at
greetings,
this one looks like a possible bug in the ip-forwarding code. kernel version
1.2.9.
from portmap, I get the following entries very frequently.
> Jun 8 02:10:49 linux1 portmap[3982]: connect from 140.78.58.5 to callit(300214):
> request from unauthorized host
> Jun 8 02:10:53 linux1 portmap[3983]: connect from 140.78.58.5 to callit(300214):
> request from unauthorized host
> Jun 8 02:10:57 linux1 portmap[3984]: connect from 140.78.58.5 to callit(300214):
> request from unauthorized host
this is because i have restricted portmap in /etc/hosts.deny to local use
only.
of course I asked the admins of this sites, they told me, that they dont
know of such portmapper requests.
thus, i used tcpdump to tell me what's going on. it revealed the following:
> 06:58:52.685288 8:0:20:c:67:49 Broadcast ip 302: pluto.dke.uni-linz.ac.at.3080
> 140.78.0.0.sunrpc: udp 260
> 06:58:52.689061 0:0:89:0:23:8e 0:0:c:8:28:37 ip 302: pluto.dke.uni-linz.ac.at.3080
> 140.78.0.0.sunrpc: udp 260
> 06:58:56.742906 8:0:20:c:67:49 Broadcast ip 302: pluto.dke.uni-linz.ac.at.3080
> 140.78.0.0.sunrpc: udp 260
> 06:58:56.743698 0:0:89:0:23:8e 0:0:c:8:28:37 ip 302: pluto.dke.uni-linz.ac.at.3080
> 140.78.0.0.sunrpc: udp 260
> 08:05:56.744771 8:0:20:c:67:49 Broadcast ip 302: pluto.dke.uni-linz.ac.at.3081
> 140.78.0.0.sunrpc: udp 260
> 08:06:00.818180 8:0:20:c:67:49 Broadcast ip 302: pluto.dke.uni-linz.ac.at.3081
> 140.78.0.0.sunrpc: udp 260
> 09:13:00.868601 8:0:20:c:67:49 Broadcast ip 302: pluto.dke.uni-linz.ac.at.3084
> 140.78.0.0.sunrpc: udp 260
(yes, I know the timestamp doesn't match. that aren't the same packets that
have been monitored, but those matching are *somewehere* in the big 12M
logfile which
tcpdump produced during the weekend, and I dont have the nerves that grep
finishes .... but you can believe me, the portmapper messages come from
this broadcasts.)
You see: these entries come from a host which does a MAC-broadcast and a
IP-Net requets (= 140.78.0.0)
I don't know *why* they are doing this, they are not under my administration,
(that simly means I don't know what's going on, not that I could do it better:)
Since those packets are HW-broadcasts, the packets are received by the kernel,
and sent to the upper layers, i.e. to portmap !
why that :-)
my IP address is 140.78.40.62, not 140.78.0.0!
140.78.0.0 is in my routing table as a directly connected network (on eth0).
btw: please verify the follwoing:
when IP-forwarding is enabled
and a HW-broadcast arrives
then do _not_ forward it :)
but silently drop it.
i know this sounds trivial, but you never can be sure ... :->
like now, HW-broadcasts are sent to the application. it would be
an even more dangerous behaviour, if those packets get routed, especially
when the route leads to the interface where the broadcast came from ...
if it's no HW-broadcast, and the packets go back to the same interface,
does Linux send out an "ICMP Redirect" ?
-------------------------------------------------------------
herp@wildsau.idv.uni-linz.ac.at | Fighting for peace is like
Rosmanith@Edvz.uni-linz.ac.at | fucking for virginity
