Hello,
Grant Taylor a écrit :
No, you mis-understood me. What I meant by "Linux considers it secure"
is that (by default) it will not let any traffic in to our out of the
loopback interface from / to a different interface.
There is no such traffic forwarded between the loopback interface and
another interface, because it just makes no sense. The loopback is
designed for local host communications : all that is sent through it is
received back by the host, and all that is received through it was sent
by the host.
+---+ +---+
| A +-- - - - - - - --+ B |
+---+ .1 (10.0.0) .254 +---+
Suppose I bind 192.0.2.1 to A's loop back interface and add a route to
192.0.2/24 to B via 10.0.0.1. If I try to ping 192.0.2.1 from B, the
traffic will leave B and go down the wire just like it should. However
my experience shows that A will not forward the traffic in to the
loopback interface and destination IP.
Of course not. Why would it ? The destination is local (see 'ip route
show table local'), and is treated just as any other local destination
like 10.0.0.1. Traffic is forwarded only when the destination is remote.
Said another way, Linux will not allow foreign traffic (non localhost)
on the loopback interface for security reasons. I believe this to be a
design decision based on security.
I believe it is rather based on common sense.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
