[Firehol-support] Dropping localhost src packets.

Costa Tsaousis costa at tsaousis.gr
Thu Jan 22 20:45:58 GMT 2004

Hi all,

FireHOL allows everything coming in from device lo and everything going
out to device lo, at the beginning of the firewall. This is applied to
the INPUT and OUTPUT iptables chains (in table filter), not the FORWARD
chain, So that nothing can be routed to/from device lo (except of course
if you add a router to do this).

It has been observed that In some DNAT/SNAT configurations, a few
versions of iptables get confused and sometimes there are appearing
packets from/to eth0 with source and destination
This is useful traffic that should use device lo, not eth0. Until the
iptables team fixes this, I suggest to add this to your configuration:

interface any loop src dst
policy accept

Note that this is not a security thread, since it is not a router. It is
an interface that matches INPUT/OUTPUT, not FORWARD.

Finally, with FireHOL it is not possible to prevent the localhost from
talking to itself.


On Πεμ, 2004-01-22 at 12:28, Francis Brosnan Blázquez wrote:
> Hi.
> We are recieving ip spoofed packages with as ip source. So, we
> have added the following line before any interface definition to drop
> all incoming traffic from localhost.
> blacklist="localhost"
> interface any BadTraf src "${blacklist}"
> But, after start firehol again, I still able to do a telnet localhost
> 22.
> What am I doing wrong?. How could I drop all traffic from localhost ?
> Thanks. All help is appreciated.
> Cheers.

More information about the Firehol-support mailing list