Hi On Tue, Jan 25, 2000 at 09:06:25PM -0500, David Coe wrote: [snip] > Given that we do see legitimate packets coming and going via the lo > interface using the machine's non-lo inteface IP's (e.g. when you post > mail from the same machine to "myhost.mydomain.org" instead of to > "localhost"), is it safe to assume that *anything* coming in or out > via the 'lo' interface is locally generated, or should the rules be > careful to only allow 'lo' traffic to/from the legitimate IP addresses > of this machine? > > For example, a machine with three valid IP addresses: > > on eth0 123.1.2.3 external net > on eth1 10.0.0.8 internal net > on lo 127.0.0.1 local > > is it safe for us to allow all 'lo' traffic by saying: > > ipchains -A input -j ACCEPT -i lo > ipchains -A output -j ACCEPT -i lo
As far as I know this is safe, but perhaps someone you should get the opinion of some other people :) > or must we enumerate the valid combinations of source and > destination addresses?: If you want to make sure, you could do that, but I think your rules are wrong. Won't the machine always use the same source and dest addresses for stuff sent/received over lo? i.e. All you should need is the following: > ipchains -A input -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1 > ipchains -A output -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1 [snip] > ipchains -A input -j ACCEPT -i lo -s 10.0.0.8 -d 10.0.0.8 > ipchains -A output -j ACCEPT -i lo -s 10.0.0.8 -d 10.0.0.8 [snip] > ipchains -A input -j ACCEPT -i lo -s 123.1.2.3 -d 123.1.2.3 > ipchains -A output -j ACCEPT -i lo -s 123.1.2.3 -d 123.1.2.3 -- Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/ [EMAIL PROTECTED] | Fax: +27 21 761 9930 | Kingsley Technologies
