On Fri, Jul 21, 2023 at 03:05:41PM +0200, Claudio Jeker wrote:
> On Fri, Jul 21, 2023 at 03:17:35PM +0300, Vitaliy Makkoveev wrote:
> > On Thu, Jul 20, 2023 at 09:57:00PM +0200, Alexander Bluhm wrote:
> > > Hi,
> > >
> > > I wonder why UDP echo does not work with inetd on 127.0.0.1.
> > >
> > > Note that it is default off. One of my regress machines has it
> > > enabled for other tests. There perl dist/Net-Ping/t/510_ping_udp.t
> > > expects that UDP echo works on 127.0.0.1.
> > >
> > > It was disabled with this commit:
> > > ----------------------------
> > > revision 1.65
> > > date: 2000/08/01 19:02:05; author: itojun; state: Exp; lines: +47 -11;
> > > be more paranoid about UDP-based echo services validation. namely,
> > > reject the following sources:
> > > 0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
> > > ff00::/8 ::/128
> > > ::ffff:0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
> > > reserved port, or NFS port.
> > > hint from deraadt.
> > > ----------------------------
> > >
> > > Note that IPv6 echo to ::1 works fine. Only IPv4 echo to 127.0.0.1
> > > is broken.
> > >
> > > I cannot see the security reason for disabling 127/8.
> > > Loops are prevented by blocking priviledged ports.
> > > Echo to a local interface address through loopback is still allowed.
> > > The kernel checks that 127/8 does not come from extern.
> > > 127.0.0.1 should be handled like ::1 .
> > >
> > > The feature was introduced together with IPv6 mapped addresses.
> > > See cvs diff -r1.64 -r1.65 inetd.c
> > > There it made sense to be paranoid about the IPv4 compatibility part
> > > of the IPv6 address. But this feature has been removed since decades.
> > > So it could be a left over.
> > >
> > > Should we also disable ::1 IPv6?
> > > Or allow 127.0.0.1 only?
> > > Or remove the case 127 completely?
> > >
> >
> > It's better to have similar behaviour for both ipv4 and ipv6 cases. I
> > see no reason to disable localhost.
>
> Now hold your horses. This was done because of RPC / NFS and especially
> portmap. Neither of these protocols work over IPv6 so there is no reason
> to block ::1.
But for these special ports we have this check in inetd.
if (port < IPPORT_RESERVED || port == NFS_PORT)
goto bad;
To my surprise blocking 127/8 in kernel ip_input() on non-loopback
interfaces was added after it was blocked in inetd.
----------------------------
revision 1.62
date: 2001/03/03 01:00:19; author: itojun; state: Exp; lines: +11 -1;
drop packets with 127.0.0.0/8 in header field, if the packet is from outside.
under RFC1122 sender rule 127.0.0.8 must not appear on the wire.
count incidents by ipstat.ips_badaddr. sync with kame
----------------------------
Checking it in userland again looks unnecessary. Especially as
userland does not know as the interface and blocks unconditionally.
bluhm
> > > Index: usr.sbin/inetd/inetd.c
> > > ===================================================================
> > > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/inetd/inetd.c,v
> > > retrieving revision 1.164
> > > diff -u -p -r1.164 inetd.c
> > > --- usr.sbin/inetd/inetd.c 19 Apr 2023 12:58:16 -0000 1.164
> > > +++ usr.sbin/inetd/inetd.c 20 Jul 2023 19:52:39 -0000
> > > @@ -444,7 +444,7 @@ dg_badinput(struct sockaddr *sa)
> > > if (IN_MULTICAST(in.s_addr))
> > > goto bad;
> > > switch ((in.s_addr & 0xff000000) >> 24) {
> > > - case 0: case 127: case 255:
> > > + case 0: case 255:
> > > goto bad;
> > > }
> > > if (dg_broadcast(&in))
> > >
> >
>
> --
> :wq Claudio
