Hi Dewayne,
Fri, 19 Jan 2018 10:36:43 +1100 - Dewayne Geraghty <[email protected]>: > If you're paranoid, I also add a firewall rule to restrict traffic > from/to specific ports and IP's over lo0. If you have anything > sensitive you might also consider this restriction. Though I would > recommend using "tcpdump -ni $INTERFACE" to learn how jails and > routing works in your environment. I was surprised to observe: when > two jails are assigned IP's on their external interface the traffic > between, expecting to use their external interfaces, traverses lo0. Until now I thought that Jails with two different /32 loopback addresses can not communicate over loopback. Because it is /32. But you are right. I need a firewall rule to block traffic between the jails. > PS Sadly there are many examples of ports using 127.0.0.1 instead of > localhost, there are 104 different files in the Samba 4.7 suite that > use 127.0.0.1 :/ Yes. I think there are two standards. On is like Isaac told RFC 3330. And the other one was "vote with the feet" and is localhost = 127.0.0.1 There is too many software with this address hardcoded. So it is a security feature that software will not bind to public IP by accident. I wonder why it is such a difference if the IP address of the host is /32 or not. And I cant' just change it to /24, because than I couldn't reach the other Server in this /24 Network. And some of them are also mine :-( Ole
pgpBt40lVw64L.pgp
Description: Digitale Signatur von OpenPGP
