-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-Type: text/plain; charset=us-ascii
In message <[EMAIL PROTECTED]>, Henrique de Moraes Holschuh writ es: >On Sun, 09 Dec 2001, Guido Hennecke wrote: >> At 09.12.2001, Henrique de Moraes Holschuh wrote: >> > On Sun, 09 Dec 2001, Guido Hennecke wrote: >> > > 127.0.0.1 Gateway <your official ip address> Interface <his >> > > externel interface> >> > > >> > > he can reach your service bound to 127.0.0.1. And this without >> > > activating ip_forward on your computer! >> > Is this true even if the policy of the forward chain (for ipchains) is set >> > to deny ? (and the equivalent, for iptables) ? >> >> Those packets did not go throught the forwards chain. For local >> interfaces no routing is needed. > >If they came over the network, they should have. That is a broken behaviour >(breaks principle of less surprise, at the very least). > >Well, ipmasq needs an update to trash anything incoming and outgoing from >!lo with a destination of 127.0.0.1/8 then. It already does this. Check out /etc/ipmasq/rules/I15lospoof.def. It also blocks and logs packets coming from external interfaces claiming to be from an internal address in the /etc/ipmasq/rules/I70masq.def file. The ipmasq firewall is very careful about blocking these sorts of attacks. The only change I make to its default operation is to lock down the external interface. - -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I have taken all knowledge to be my province." -F. Bacon [EMAIL PROTECTED] "Human kind cannot bear very much reality."-T.S.Eliot [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (OpenBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE8FO+BoayJfLoDSdIRAgxhAKCYYeJrtaUAtbbeGowq1hBE2GyaCACgkKhf gmdv3uF0kXlJkN2V/gukl9k= =bm4W -----END PGP SIGNATURE-----
