Bug 33996
| Summary: | 127.0.0.0/8 not added to routing table by default | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Aragon Gouveia <aragon> |
| Component: | misc | Assignee: | ru <ru> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Unspecified | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Aragon Gouveia
2002-01-17 16:10:00 UTC
On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote: > > > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing > table with destination interface lo0 by default. Instead, only > 127.0.0.1/32 is being routed to the loopback interface. Pinging, > for example, 127.2.3.4 returns no response - in my case it tries > to route via the default route out onto the net! > Nah, this is something that should be controlled with a firewall. The default ipfw(8) rules block this. Also, the kernel function in_canforward() does not allow forwarding of IP packets with the destination address in the 127.0.0.0/8 range. Can this PR be closed now? Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age Hmm, ipfw? Are you referring to blocking incoming packets with 127.0.0.0/8 as their source? What I mean to say is that any tcp/ip enabled machine should be routing the entire class A to it's loopback interface. Pinging any 127 address from that machine should yield a response, not just 127.0.0.1. Regards, Aragon ----- Original Message ----- From: "Ruslan Ermilov" <ru@FreeBSD.org> To: "Aragon Gouveia" <aragon@phat.za.net> Cc: <bug-followup@FreeBSD.org> Sent: Thursday, January 17, 2002 6:20 PM Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default > On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote: > > > > > > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing > > table with destination interface lo0 by default. Instead, only > > 127.0.0.1/32 is being routed to the loopback interface. Pinging, > > for example, 127.2.3.4 returns no response - in my case it tries > > to route via the default route out onto the net! > > > Nah, this is something that should be controlled with a firewall. > The default ipfw(8) rules block this. Also, the kernel function > in_canforward() does not allow forwarding of IP packets with the > destination address in the 127.0.0.0/8 range. > > Can this PR be closed now? > > > Cheers, > -- > Ruslan Ermilov Oracle Developer/DBA, > ru@sunbay.com Sunbay Software AG, > ru@FreeBSD.org FreeBSD committer, > +380.652.512.251 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > On Thu, Jan 17, 2002 at 06:40:55PM +0200, Aragon Gouveia wrote: > Hmm, ipfw? Are you referring to blocking incoming packets with 127.0.0.0/8 > as their source? > No, I said "destination address". What I'm talking about here is a brief of section 5.3.7 (Martian Address Filtering) of the "Requirements for IP Version 4 Routers" RFC 1812. > What I mean to say is that any tcp/ip enabled machine > should be routing the entire class A to it's loopback interface. Pinging any > 127 address from that machine should yield a response, not just 127.0.0.1. > Neither this nor RFC 1122 say that ALL 127.* addresses should be replied to. A loopback interface OTOH may have any of the addresses from the 127 network assigned, and response generated. > ----- Original Message ----- > From: "Ruslan Ermilov" <ru@FreeBSD.org> > To: "Aragon Gouveia" <aragon@phat.za.net> > Cc: <bug-followup@FreeBSD.org> > Sent: Thursday, January 17, 2002 6:20 PM > Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default > > > > On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote: > > > > > > > > > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing > > > table with destination interface lo0 by default. Instead, only > > > 127.0.0.1/32 is being routed to the loopback interface. Pinging, > > > for example, 127.2.3.4 returns no response - in my case it tries > > > to route via the default route out onto the net! > > > > > Nah, this is something that should be controlled with a firewall. > > The default ipfw(8) rules block this. Also, the kernel function > > in_canforward() does not allow forwarding of IP packets with the > > destination address in the 127.0.0.0/8 range. > > > > Can this PR be closed now? -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age On Thu, Jan 17, 2002 at 08:30:02AM -0800, Ruslan Ermilov wrote: > The following reply was made to PR misc/33996; it has been noted by GNATS. > > From: Ruslan Ermilov <ru@FreeBSD.org> > To: Aragon Gouveia <aragon@phat.za.net> > Cc: bug-followup@FreeBSD.org > Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default > Date: Thu, 17 Jan 2002 18:20:01 +0200 > > On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote: > > > > > > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing > > table with destination interface lo0 by default. Instead, only > > 127.0.0.1/32 is being routed to the loopback interface. Pinging, > > for example, 127.2.3.4 returns no response - in my case it tries > > to route via the default route out onto the net! > > > Nah, this is something that should be controlled with a firewall. > The default ipfw(8) rules block this. Also, the kernel function > in_canforward() does not allow forwarding of IP packets with the > destination address in the 127.0.0.0/8 range. > > Can this PR be closed now? Well, there is a bug here. Have you ever actually tried, # ping 127.2.3.4 And sniffed the wire? That is a Bad Thing. No machine should ever let 127/8 on the wire. But I believe there is another PR on this. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org On Fri, Jan 18, 2002 at 01:22:34AM -0800, Crist J . Clark wrote: > On Thu, Jan 17, 2002 at 08:30:02AM -0800, Ruslan Ermilov wrote: > > The following reply was made to PR misc/33996; it has been noted by GNATS. > > > > From: Ruslan Ermilov <ru@FreeBSD.org> > > To: Aragon Gouveia <aragon@phat.za.net> > > Cc: bug-followup@FreeBSD.org > > Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default > > Date: Thu, 17 Jan 2002 18:20:01 +0200 > > > > On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote: > > > > > > > > > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing > > > table with destination interface lo0 by default. Instead, only > > > 127.0.0.1/32 is being routed to the loopback interface. Pinging, > > > for example, 127.2.3.4 returns no response - in my case it tries > > > to route via the default route out onto the net! > > > > > Nah, this is something that should be controlled with a firewall. > > The default ipfw(8) rules block this. Also, the kernel function > > in_canforward() does not allow forwarding of IP packets with the > > destination address in the 127.0.0.0/8 range. > > > > Can this PR be closed now? > > Well, there is a bug here. Have you ever actually tried, > > # ping 127.2.3.4 > > And sniffed the wire? That is a Bad Thing. No machine should ever let > 127/8 on the wire. But I believe there is another PR on this. > Yes I tried, and I get EACCES from ipfw(4) because of these lines: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any :-) Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age <<On Fri, 18 Jan 2002 01:30:02 -0800 (PST), "Crist J . Clark" <cjc@FreeBSD.ORG> said: > And sniffed the wire? That is a Bad Thing. No machine should ever let > 127/8 on the wire. But I believe there is another PR on this. I would note that the IPv6 code *does* install a blackhole route for ::/96, IPv6's equivalent of 127/8: # disallow "internal" addresses to appear on the wire route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject -GAWollman <<On Fri, 18 Jan 2002 07:50:04 -0800 (PST), Ruslan Ermilov <ru@FreeBSD.ORG> said: > On Fri, Jan 18, 2002 at 01:22:34AM -0800, Crist J . Clark wrote: >> And sniffed the wire? That is a Bad Thing. No machine should ever let >> 127/8 on the wire. But I believe there is another PR on this. >> > Yes I tried, and I get EACCES from ipfw(4) because of these lines: Requiring packet filtering for correct operation is an error. -GAWollman On Fri, Jan 18, 2002 at 05:40:59PM +0200, Ruslan Ermilov wrote: > On Fri, Jan 18, 2002 at 01:22:34AM -0800, Crist J . Clark wrote: > > On Thu, Jan 17, 2002 at 08:30:02AM -0800, Ruslan Ermilov wrote: > > > The following reply was made to PR misc/33996; it has been noted by GNATS. > > > > > > From: Ruslan Ermilov <ru@FreeBSD.org> > > > To: Aragon Gouveia <aragon@phat.za.net> > > > Cc: bug-followup@FreeBSD.org > > > Subject: Re: misc/33996: 127.0.0.0/8 not added to routing table by default > > > Date: Thu, 17 Jan 2002 18:20:01 +0200 > > > > > > On Thu, Jan 17, 2002 at 08:02:01AM -0800, Aragon Gouveia wrote: > > > > > > > > > > > > The reserved 127.0.0.0/8 range is not added to FreeBSD's routing > > > > table with destination interface lo0 by default. Instead, only > > > > 127.0.0.1/32 is being routed to the loopback interface. Pinging, > > > > for example, 127.2.3.4 returns no response - in my case it tries > > > > to route via the default route out onto the net! > > > > > > > Nah, this is something that should be controlled with a firewall. > > > The default ipfw(8) rules block this. Also, the kernel function > > > in_canforward() does not allow forwarding of IP packets with the > > > destination address in the 127.0.0.0/8 range. > > > > > > Can this PR be closed now? > > > > Well, there is a bug here. Have you ever actually tried, > > > > # ping 127.2.3.4 > > > > And sniffed the wire? That is a Bad Thing. No machine should ever let > > 127/8 on the wire. But I believe there is another PR on this. > > > Yes I tried, and I get EACCES from ipfw(4) because of these lines: > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > > :-) OK, # ipfw d 200 # ping 127.2.3.4 The point being that even without firewalling enabled, I don't think that packets destined for 127/8 should ever leave a host. Well, it's not just me who thinks so, it is a requirement (RFC1122), (g) { 127, <any> } Internal host loopback address. Addresses of this form MUST NOT appear outside a host. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org State Changed From-To: open->closed Duplicate of PR misc/30792. Fixed in 5.0-CURRENT, sys/netinet/ip_output.c,v 1.148. Responsible Changed From-To: freebsd-bugs->ru |
