Wade Burgett <[EMAIL PROTECTED]> writes: > I think the anti-spoof rules in the 2.2.x kernels should make this safe.� > Anything coming on the other interfaces w/ the 127.0.0.1 address won't be > allowed.
True, but (I apologize for having been so brief) my question was meant the other way around: Given that we do see legitimate packets coming and going via the lo interface using the machine's non-lo inteface IP's (e.g. when you post mail from the same machine to "myhost.mydomain.org" instead of to "localhost"), is it safe to assume that *anything* coming in or out via the 'lo' interface is locally generated, or should the rules be careful to only allow 'lo' traffic to/from the legitimate IP addresses of this machine? For example, a machine with three valid IP addresses: on eth0 123.1.2.3 external net on eth1 10.0.0.8 internal net on lo 127.0.0.1 local is it safe for us to allow all 'lo' traffic by saying: ipchains -A input -j ACCEPT -i lo ipchains -A output -j ACCEPT -i lo or must we enumerate the valid combinations of source and destination addresses?: ipchains -A input -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1 ipchains -A output -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1 ipchains -A input -j ACCEPT -i lo -s 127.0.0.1 -d 10.0.0.8 ipchains -A output -j ACCEPT -i lo -s 127.0.0.1 -d 10.0.0.8 ipchains -A input -j ACCEPT -i lo -s 127.0.0.1 -d 123.1.2.3 ipchains -A output -j ACCEPT -i lo -s 127.0.0.1 -d 123.1.2.3 ipchains -A input -j ACCEPT -i lo -s 10.0.0.8 -d 127.0.0.1 ipchains -A output -j ACCEPT -i lo -s 10.0.0.8 -d 127.0.0.1 ipchains -A input -j ACCEPT -i lo -s 10.0.0.8 -d 10.0.0.8 ipchains -A output -j ACCEPT -i lo -s 10.0.0.8 -d 10.0.0.8 ipchains -A input -j ACCEPT -i lo -s 10.0.0.8 -d 123.1.2.3 ipchains -A output -j ACCEPT -i lo -s 10.0.0.8 -d 123.1.2.3 ipchains -A input -j ACCEPT -i lo -s 123.1.2.3 -d 127.0.0.1 ipchains -A output -j ACCEPT -i lo -s 123.1.2.3 -d 127.0.0.1 ipchains -A input -j ACCEPT -i lo -s 123.1.2.3 -d 10.0.0.8 ipchains -A output -j ACCEPT -i lo -s 123.1.2.3 -d 10.0.0.8 ipchains -A input -j ACCEPT -i lo -s 123.1.2.3 -d 123.1.2.3 ipchains -A output -j ACCEPT -i lo -s 123.1.2.3 -d 123.1.2.3 Thanks.
