Hello Woody,
Monday, March 05, 2001, 10:44:43 PM, you wrote:
W> There is a flaw in the TCP/IP stack, such that packets intended for
W> loopback and/or local network interfaces, routed via any other
W> interface, will be delivered EVEN IF THE MACHINE IS CONFIGURED NOT
W> TO BE A GATEWAY (note that in the case of packets destined for the
W> loopback interface, we consider this to be a fault no matter how
W> the host is configured - see RFC 1122 comments below). This means
W> that connections can be made to services that were intended to be
W> invisible by virtue of the fact that they were only listening on
W> the "inside" of a system. This may lead to further compromise of
W> the host and/or connected networks, either via (e.g.) buffer
W> overflows or enhanced privileges via access to SOCKS or other
W> internal proxies.
Windows NT behaves same way - it will accept connection to internal
address through external interface even if routing is not enabled (I'm
not sure about loopback). Then configuring Cisco routers it's quite
common practice to give real address to loopback interface and link
this address to few external interfaces.
This behavior doesn't violate RFC 1122. And I believe this behavior is
correct (imagine host with e.g. few PPTP and L2TP interfaces, some of
them may be dynamically addressed. To make access to this host from
outside you may want some static internal address, may be linked to
loopback, rather then virtual interface or any physical interface, but
enabling routing in this case isn't good idea).
I believe solution for this problem may be something like
ipfw add allow all via lo*
ipfw add deny all to 127.0.0.0/8
if you want this behavior to be changed.
--
~/3APA3A
Если даже вы получите какое-нибудь письмо, вы все равно не сумеете его прочитать.
(Твен)
