Grant
I tried to understand this attack but it was over my head.
The message is simply that
I should only allow loopback traffic whose source
and destination addresses are 127.0.0.0/8 right??
e.g.
$IPTABLES -t filter -A INPUT -i $LOOPBACK_INTERFACE
-s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE
-s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
This is safe Right?
chris
On Wed, 2005-04-13 at 18:09, Taylor Grant wrote:
> > allow traffic on the loopback interface unconditionally, and allow the
> > linux routing code 'martian' checks to drop 127.0.0.0/8 packets received
> > 'on the wire' as it does by default.
>
> I don't think this is such a good idea. I could reconfigure my system such that it's loop back interface was not in the 127.0.0.0/8 network and set a route to the 127.0.0.0/8 network to be via your IP on the LAN. Assuming that your system and my system were on the same LAN and subnet and we could ping each other I would be able to access your 127.0.0.1 address as your kernel would forward traffic to the loop back network in your system.
>
>
>
> Grant. . . .
>
