Micah Anderson wrote: > Ah, looking at my firewall I've got: > > -A output -s 127.0.0.1/255.0.0.0 -d 127.0.0.1/255.0.0.0 -p 17 -j ACCEPT > -A output -s 127.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l > -A output -s 0.0.0.0/0.0.0.0 -d 127.0.0.0/255.0.0.0 -j REJECT -l > -A input -s 127.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l > -A input -s 127.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l > > So from what you are saying I should add: > > -A output -s 127.0.0.1/255.0.0.0 0 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT > -A output -s 127.0.0.1/255.0.0.0 3 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT > -A output -s 127.0.0.1/255.0.0.0 4 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT > -A output -s 127.0.0.1/255.0.0.0 8 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT > -A output -s 127.0.0.1/255.0.0.0 11 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT > -A output -s 127.0.0.1/255.0.0.0 12 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT > > ? > > Should these be allowable from 127.0.0.1 to anywhere? And would the ICMP > port orginate on the 127.0.0.1 end or the destination end?
No, 127.0.0.0/8 addresses should never be allowed on any other interface other than loopback. Conversly, you should not accept traffic from these addresses on any interface other than loopback. A nice way to do this with ipchains is: ipchains -A input ! -i lo -s 127.0.0.0/8 -j DENY ipchains -A output ! -i lo -s 127.0.0.0/8 -j DENY ipchains -A input ! -i lo -d 127.0.0.0/8 -j DENY ipchains -A output ! -i lo -d 127.0.0.0/8 -j DENY Regards Simon Murcott e. [EMAIL PROTECTED]
