[Firehol-support] Dropping localhost src packets.

Costa Tsaousis costa at tsaousis.gr
Thu Jan 22 20:45:58 GMT 2004


Hi all,

FireHOL allows everything coming in from device lo and everything going
out to device lo, at the beginning of the firewall. This is applied to
the INPUT and OUTPUT iptables chains (in table filter), not the FORWARD
chain, So that nothing can be routed to/from device lo (except of course
if you add a router to do this).

It has been observed that In some DNAT/SNAT configurations, a few
versions of iptables get confused and sometimes there are appearing
packets from/to eth0 with source 127.0.0.1 and destination 127.0.0.1.
This is useful traffic that should use device lo, not eth0. Until the
iptables team fixes this, I suggest to add this to your configuration:

interface any loop src 127.0.0.1 dst 127.0.0.1
policy accept

Note that this is not a security thread, since it is not a router. It is
an interface that matches INPUT/OUTPUT, not FORWARD.

Finally, with FireHOL it is not possible to prevent the localhost from
talking to itself.

Costa


On Πεμ, 2004-01-22 at 12:28, Francis Brosnan Blázquez wrote:
> Hi.
> 
> We are recieving ip spoofed packages with 127.0.0.1 as ip source. So, we
> have added the following line before any interface definition to drop
> all incoming traffic from localhost.
> 
> blacklist="localhost"
> interface any BadTraf src "${blacklist}"
> 
> But, after start firehol again, I still able to do a telnet localhost
> 22.
> 
> What am I doing wrong?. How could I drop all traffic from localhost ?
> 
> Thanks. All help is appreciated.
> 
> Cheers.





More information about the Firehol-support mailing list