Micah Anderson wrote:
> Ah, looking at my firewall I've got:
>
> -A output -s 127.0.0.1/255.0.0.0 -d 127.0.0.1/255.0.0.0 -p 17 -j ACCEPT
> -A output -s 127.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l
> -A output -s 0.0.0.0/0.0.0.0 -d 127.0.0.0/255.0.0.0 -j REJECT -l
> -A input -s 127.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l
> -A input -s 127.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l
>
> So from what you are saying I should add:
>
> -A output -s 127.0.0.1/255.0.0.0 0 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
> -A output -s 127.0.0.1/255.0.0.0 3 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
> -A output -s 127.0.0.1/255.0.0.0 4 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
> -A output -s 127.0.0.1/255.0.0.0 8 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
> -A output -s 127.0.0.1/255.0.0.0 11 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
> -A output -s 127.0.0.1/255.0.0.0 12 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
>
> ?
>
> Should these be allowable from 127.0.0.1 to anywhere? And would the ICMP
> port orginate on the 127.0.0.1 end or the destination end?
No, 127.0.0.0/8 addresses should never be allowed on any other interface other than
loopback. Conversly, you should not accept traffic from these addresses on any
interface other than loopback.
A nice way to do this with ipchains is:
ipchains -A input ! -i lo -s 127.0.0.0/8 -j DENY
ipchains -A output ! -i lo -s 127.0.0.0/8 -j DENY
ipchains -A input ! -i lo -d 127.0.0.0/8 -j DENY
ipchains -A output ! -i lo -d 127.0.0.0/8 -j DENY
Regards
Simon Murcott
e. [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
