On 04/22/08 06:01, Leonardo Rodrigues Magalhães wrote:
Are you sure you understand it right ??? What do you mean by 'linux
consider it secure' ?? do you mean it has no access control by
default ???? This happens with ALL linux network (logical and
phisical) ones. If you need access control on network level, then you
got iptables !!!
No, you mis-understood me. What I meant by "Linux considers it secure"
is that (by default) it will not let any traffic in to our out of the
loopback interface from / to a different interface. I.e. (presuming
that a bind an additional subnet (192.0.2/24 ""Test network) to the
loopback interface and set up another station to route to it via the
static ip on the ethernet interface.
+---+ +---+
| A +-- - - - - - - --+ B |
+---+ .1 (10.0.0) .254 +---+
Suppose I bind 192.0.2.1 to A's loop back interface and add a route to
192.0.2/24 to B via 10.0.0.1. If I try to ping 192.0.2.1 from B, the
traffic will leave B and go down the wire just like it should. However
my experience shows that A will not forward the traffic in to the
loopback interface and destination IP. Note: This config is with all
firewalling completely disabled and forwarding enabled.
Said another way, Linux will not allow foreign traffic (non localhost)
on the loopback interface for security reasons. I believe this to be a
design decision based on security.
What was the problem solved/workarounded ???? Tell us what happened
and maybe we'll tell you if using rinetd was a smart solution and, if
it's not, maybe give you other better workaround tips.
This is not an actual problem but rather a (theoretical) discussion on
whether such is or is not possible to do with Linux.
No seek and hide games .... tell us what's really your problem
please.
Again, this is not a game or a problem to solve, merely a question /
discussion of "Is it possible..." to send traffic in to and / or out of
the loopback interface. If it is not possible (by default) is it
possible to disable this built in / inherent security?
Do you mean loopback interface to throw/receive traffic on your
phisical network, ie, ethernet cables ??? If this is your idea, it
goes against the whole loopback idea and i think it certainly cant be
done.
Yes, this is what I was asking. I know and understand fully well why
this generally is not done. However I wanted to know if it is possible
to throb some setting on the system to allow this to do be done against
better advice.
Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
