[19524] in bugtraq
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
daemon@ATHENA.MIT.EDU (Martin Macok)
Tue Mar 6 20:56:00 2001
Mail-Followup-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Message-ID: <20010306230517.H910@sarah.kolej.mff.cuni.cz>
Date: Tue, 6 Mar 2001 23:05:17 +0100
Reply-To: Martin Macok <martin.macok@UNDERGROUND.CZ>
From: Martin Macok <martin.macok@UNDERGROUND.CZ>
X-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <173678817147.20010306133418@SECURITY.NNOV.RU>; from
3APA3A@SECURITY.NNOV.RU on Tue, Mar 06, 2001 at 01:34:18PM +0300
Content-Transfer-Encoding: 8bit
On Tue, Mar 06, 2001 at 01:34:18PM +0300, 3APA3A wrote:
> I believe solution for this problem may be something like
>
> ipfw add allow all via lo*
> ipfw add deny all to 127.0.0.0/8
>
> if you want this behavior to be changed.
(In case Linux 2.4 ''suffer'' ...
I had no time to test it but others (Kyle Sparger) claimed that)
In netfilter/iptables (linux 2.4) language:
### ALLOW EVERTHING FROM lo AND DISABLE EVERYTHING ELSE TO 127.0.0.*
iptables -A INPUT -i lo -j ACCEPT
# if you want some logging, uncomment next line:
# iptables -A INPUT -d 127.0.0.0/8 -m limit --limit 5/minute -j LOG
iptables -A INPUT -d 127.0.0.0/8 -j DROP
OR similar strategy:
### DISABLE EVERYTHING TO 127.0.0.* NOT COMING FROM lo
# if you want some logging, uncomment next line:
# iptables -A INPUT -d 127.0.0.0/8 -i ! lo -m limit --limit 5/minute -j LOG
iptables -A INPUT -d 127.0.0.0/8 -i ! lo -j DROP
I vote for 'Strong ES Model' by default (especially for linux as it
becomes often installed by clueless beginners) and there is no
argument for making 'Weak ES Model' default. Including the fact that
almost no current Security-HOWTO's/Firewall-HOWTO's/Networking-HOWTO's
don't discuss that topic ...
Have a nice day
--
Martin Mačok
underground.cz
openbsd.cz
