Re: inetd echo localhost
On Fri, Jul 21, 2023 at 03:05:41PM +0200, Claudio Jeker wrote:
> On Fri, Jul 21, 2023 at 03:17:35PM +0300, Vitaliy Makkoveev wrote:
> > On Thu, Jul 20, 2023 at 09:57:00PM +0200, Alexander Bluhm wrote:
> > > Hi,
> > >
> > > I wonder why UDP echo does not work with inetd on 127.0.0.1.
> > >
> > > Note that it is default off. One of my regress machines has it
> > > enabled for other tests. There perl dist/Net-Ping/t/510_ping_udp.t
> > > expects that UDP echo works on 127.0.0.1.
> > >
> > > It was disabled with this commit:
> > >
> > > revision 1.65
> > > date: 2000/08/01 19:02:05; author: itojun; state: Exp; lines: +47 -11;
> > > be more paranoid about UDP-based echo services validation. namely,
> > > reject the following sources:
> > > 0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
> > > ff00::/8 ::/128
> > > :::0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
> > > reserved port, or NFS port.
> > > hint from deraadt.
> > >
> > >
> > > Note that IPv6 echo to ::1 works fine. Only IPv4 echo to 127.0.0.1
> > > is broken.
> > >
> > > I cannot see the security reason for disabling 127/8.
> > > Loops are prevented by blocking priviledged ports.
> > > Echo to a local interface address through loopback is still allowed.
> > > The kernel checks that 127/8 does not come from extern.
> > > 127.0.0.1 should be handled like ::1 .
> > >
> > > The feature was introduced together with IPv6 mapped addresses.
> > > See cvs diff -r1.64 -r1.65 inetd.c
> > > There it made sense to be paranoid about the IPv4 compatibility part
> > > of the IPv6 address. But this feature has been removed since decades.
> > > So it could be a left over.
> > >
> > > Should we also disable ::1 IPv6?
> > > Or allow 127.0.0.1 only?
> > > Or remove the case 127 completely?
> > >
> >
> > It's better to have similar behaviour for both ipv4 and ipv6 cases. I
> > see no reason to disable localhost.
>
> Now hold your horses. This was done because of RPC / NFS and especially
> portmap. Neither of these protocols work over IPv6 so there is no reason
> to block ::1.
But for these special ports we have this check in inetd.
if (port < IPPORT_RESERVED || port == NFS_PORT)
goto bad;
To my surprise blocking 127/8 in kernel ip_input() on non-loopback
interfaces was added after it was blocked in inetd.
revision 1.62
date: 2001/03/03 01:00:19; author: itojun; state: Exp; lines: +11 -1;
drop packets with 127.0.0.0/8 in header field, if the packet is from outside.
under RFC1122 sender rule 127.0.0.8 must not appear on the wire.
count incidents by ipstat.ips_badaddr. sync with kame
Checking it in userland again looks unnecessary. Especially as
userland does not know as the interface and blocks unconditionally.
bluhm
> > > Index: usr.sbin/inetd/inetd.c
> > > ===
> > > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/inetd/inetd.c,v
> > > retrieving revision 1.164
> > > diff -u -p -r1.164 inetd.c
> > > --- usr.sbin/inetd/inetd.c19 Apr 2023 12:58:16 - 1.164
> > > +++ usr.sbin/inetd/inetd.c20 Jul 2023 19:52:39 -
> > > @@ -444,7 +444,7 @@ dg_badinput(struct sockaddr *sa)
> > > if (IN_MULTICAST(in.s_addr))
> > > goto bad;
> > > switch ((in.s_addr & 0xff00) >> 24) {
> > > - case 0: case 127: case 255:
> > > + case 0: case 255:
> > > goto bad;
> > > }
> > > if (dg_broadcast())
> > >
> >
>
> --
> :wq Claudio
Re: inetd echo localhost
On Fri, Jul 21, 2023 at 03:17:35PM +0300, Vitaliy Makkoveev wrote:
> On Thu, Jul 20, 2023 at 09:57:00PM +0200, Alexander Bluhm wrote:
> > Hi,
> >
> > I wonder why UDP echo does not work with inetd on 127.0.0.1.
> >
> > Note that it is default off. One of my regress machines has it
> > enabled for other tests. There perl dist/Net-Ping/t/510_ping_udp.t
> > expects that UDP echo works on 127.0.0.1.
> >
> > It was disabled with this commit:
> >
> > revision 1.65
> > date: 2000/08/01 19:02:05; author: itojun; state: Exp; lines: +47 -11;
> > be more paranoid about UDP-based echo services validation. namely,
> > reject the following sources:
> > 0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
> > ff00::/8 ::/128
> > :::0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
> > reserved port, or NFS port.
> > hint from deraadt.
> >
> >
> > Note that IPv6 echo to ::1 works fine. Only IPv4 echo to 127.0.0.1
> > is broken.
> >
> > I cannot see the security reason for disabling 127/8.
> > Loops are prevented by blocking priviledged ports.
> > Echo to a local interface address through loopback is still allowed.
> > The kernel checks that 127/8 does not come from extern.
> > 127.0.0.1 should be handled like ::1 .
> >
> > The feature was introduced together with IPv6 mapped addresses.
> > See cvs diff -r1.64 -r1.65 inetd.c
> > There it made sense to be paranoid about the IPv4 compatibility part
> > of the IPv6 address. But this feature has been removed since decades.
> > So it could be a left over.
> >
> > Should we also disable ::1 IPv6?
> > Or allow 127.0.0.1 only?
> > Or remove the case 127 completely?
> >
>
> It's better to have similar behaviour for both ipv4 and ipv6 cases. I
> see no reason to disable localhost.
Now hold your horses. This was done because of RPC / NFS and especially
portmap. Neither of these protocols work over IPv6 so there is no reason
to block ::1.
> ok mvs
>
> > bluhm
> >
> > Index: usr.sbin/inetd/inetd.c
> > ===
> > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/inetd/inetd.c,v
> > retrieving revision 1.164
> > diff -u -p -r1.164 inetd.c
> > --- usr.sbin/inetd/inetd.c 19 Apr 2023 12:58:16 - 1.164
> > +++ usr.sbin/inetd/inetd.c 20 Jul 2023 19:52:39 -
> > @@ -444,7 +444,7 @@ dg_badinput(struct sockaddr *sa)
> > if (IN_MULTICAST(in.s_addr))
> > goto bad;
> > switch ((in.s_addr & 0xff00) >> 24) {
> > - case 0: case 127: case 255:
> > + case 0: case 255:
> > goto bad;
> > }
> > if (dg_broadcast())
> >
>
--
:wq Claudio
Re: inetd echo localhost
On Thu, Jul 20, 2023 at 09:57:00PM +0200, Alexander Bluhm wrote:
> Hi,
>
> I wonder why UDP echo does not work with inetd on 127.0.0.1.
>
> Note that it is default off. One of my regress machines has it
> enabled for other tests. There perl dist/Net-Ping/t/510_ping_udp.t
> expects that UDP echo works on 127.0.0.1.
>
> It was disabled with this commit:
>
> revision 1.65
> date: 2000/08/01 19:02:05; author: itojun; state: Exp; lines: +47 -11;
> be more paranoid about UDP-based echo services validation. namely,
> reject the following sources:
> 0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
> ff00::/8 ::/128
> :::0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
> reserved port, or NFS port.
> hint from deraadt.
>
>
> Note that IPv6 echo to ::1 works fine. Only IPv4 echo to 127.0.0.1
> is broken.
>
> I cannot see the security reason for disabling 127/8.
> Loops are prevented by blocking priviledged ports.
> Echo to a local interface address through loopback is still allowed.
> The kernel checks that 127/8 does not come from extern.
> 127.0.0.1 should be handled like ::1 .
>
> The feature was introduced together with IPv6 mapped addresses.
> See cvs diff -r1.64 -r1.65 inetd.c
> There it made sense to be paranoid about the IPv4 compatibility part
> of the IPv6 address. But this feature has been removed since decades.
> So it could be a left over.
>
> Should we also disable ::1 IPv6?
> Or allow 127.0.0.1 only?
> Or remove the case 127 completely?
>
It's better to have similar behaviour for both ipv4 and ipv6 cases. I
see no reason to disable localhost.
ok mvs
> bluhm
>
> Index: usr.sbin/inetd/inetd.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/inetd/inetd.c,v
> retrieving revision 1.164
> diff -u -p -r1.164 inetd.c
> --- usr.sbin/inetd/inetd.c19 Apr 2023 12:58:16 - 1.164
> +++ usr.sbin/inetd/inetd.c20 Jul 2023 19:52:39 -
> @@ -444,7 +444,7 @@ dg_badinput(struct sockaddr *sa)
> if (IN_MULTICAST(in.s_addr))
> goto bad;
> switch ((in.s_addr & 0xff00) >> 24) {
> - case 0: case 127: case 255:
> + case 0: case 255:
> goto bad;
> }
> if (dg_broadcast())
>
inetd echo localhost
Hi,
I wonder why UDP echo does not work with inetd on 127.0.0.1.
Note that it is default off. One of my regress machines has it
enabled for other tests. There perl dist/Net-Ping/t/510_ping_udp.t
expects that UDP echo works on 127.0.0.1.
It was disabled with this commit:
revision 1.65
date: 2000/08/01 19:02:05; author: itojun; state: Exp; lines: +47 -11;
be more paranoid about UDP-based echo services validation. namely,
reject the following sources:
0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
ff00::/8 ::/128
:::0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
reserved port, or NFS port.
hint from deraadt.
Note that IPv6 echo to ::1 works fine. Only IPv4 echo to 127.0.0.1
is broken.
I cannot see the security reason for disabling 127/8.
Loops are prevented by blocking priviledged ports.
Echo to a local interface address through loopback is still allowed.
The kernel checks that 127/8 does not come from extern.
127.0.0.1 should be handled like ::1 .
The feature was introduced together with IPv6 mapped addresses.
See cvs diff -r1.64 -r1.65 inetd.c
There it made sense to be paranoid about the IPv4 compatibility part
of the IPv6 address. But this feature has been removed since decades.
So it could be a left over.
Should we also disable ::1 IPv6?
Or allow 127.0.0.1 only?
Or remove the case 127 completely?
bluhm
Index: usr.sbin/inetd/inetd.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/inetd/inetd.c,v
retrieving revision 1.164
diff -u -p -r1.164 inetd.c
--- usr.sbin/inetd/inetd.c 19 Apr 2023 12:58:16 - 1.164
+++ usr.sbin/inetd/inetd.c 20 Jul 2023 19:52:39 -
@@ -444,7 +444,7 @@ dg_badinput(struct sockaddr *sa)
if (IN_MULTICAST(in.s_addr))
goto bad;
switch ((in.s_addr & 0xff00) >> 24) {
- case 0: case 127: case 255:
+ case 0: case 255:
goto bad;
}
if (dg_broadcast())
