On Tue, Mar 13, 2001 at 09:42:19PM -0400, Peter Cordes wrote:
...
The result is that, as expected, llama doesn't route or accept the packet.
thanks for the crisp and clear explanation; now I get it:)
--
groetjes, carel
It's not so easy to check what happens if you send a packet with a
destination in 127.0.0.0/8, but I'd be surprised if it was accepted.
Why 'not so easy'? just kick down 127.0.0.1 on bigfoot and arp -s it
to point to llama?
Ax
--
Vaclav Hula
[EMAIL PROTECTED]
UIN#36624092
On Tue, Mar 13, 2001 at 11:47:52AM +0100, Ax wrote:
It's not so easy to check what happens if you send a packet with a
destination in 127.0.0.0/8, but I'd be surprised if it was accepted.
Why 'not so easy'? just kick down 127.0.0.1 on bigfoot and arp -s it
to point to llama?
Here's
On Mon, Mar 12, 2001 at 10:14:17PM -0400, Peter Cordes wrote:
...
Arggghh! Sorry, you're right. I was pretty sure that linux checked the
dest of packets before accepting them, so I guess my brain decided to read
it wrong and think you were talking about what I expected you to be a
talking
On Wed, Mar 14, 2001 at 12:14:07AM +0100, Carel Fellinger wrote:
On Mon, Mar 12, 2001 at 10:14:17PM -0400, Peter Cordes wrote:
I decided to check this out,
For now I guess you wanted to check that Linux *does* filter on packet
*destinations* , but I can't follow the example. To be
It's not so easy to check what happens if you send a packet with a
destination in 127.0.0.0/8, but I'd be surprised if it was accepted.
Why 'not so easy'? just kick down 127.0.0.1 on bigfoot and arp -s it
to point to llama?
Ax
--
Vaclav Hula
[EMAIL PROTECTED]
UIN#36624092
On Tue, Mar 13, 2001 at 11:47:52AM +0100, Ax wrote:
It's not so easy to check what happens if you send a packet with a
destination in 127.0.0.0/8, but I'd be surprised if it was accepted.
Why 'not so easy'? just kick down 127.0.0.1 on bigfoot and arp -s it
to point to llama?
Here's
On Mon, Mar 12, 2001 at 10:14:17PM -0400, Peter Cordes wrote:
...
Arggghh! Sorry, you're right. I was pretty sure that linux checked the
dest of packets before accepting them, so I guess my brain decided to read
it wrong and think you were talking about what I expected you to be a
talking
On Wed, Mar 14, 2001 at 12:14:07AM +0100, Carel Fellinger wrote:
On Mon, Mar 12, 2001 at 10:14:17PM -0400, Peter Cordes wrote:
I decided to check this out,
For now I guess you wanted to check that Linux *does* filter on packet
*destinations* , but I can't follow the example. To be honest,
On Mon, Mar 12, 2001 at 11:11:40PM +, Jim Breton wrote:
Again, I'm not disagreeing with you. rp_filter and source checking has
nothing to do with the issue though. The question posed was about
packet destinations, and you keep referring to source checks.
Arggghh! Sorry, you're
On Sat, Mar 10, 2001 at 05:20:26PM +, Jim Breton wrote:
On Sat, Mar 10, 2001 at 10:22:48AM -0600, Ted Cabeen wrote:
if (BADCLASS(daddr) || ZERONET(daddr) || LOOPBACK(daddr))
goto martian_destination;
This is part of the routing check for incoming packets. It
On Mon, Mar 12, 2001 at 06:36:25PM +, Jim Breton wrote:
On Mon, Mar 12, 2001 at 02:31:57PM -0400, Peter Cordes wrote:
Doesn't rp_filter do this, or am I missing something? It should make the
kernel drop packets coming in on interfaces they shouldn't be, e.g. 10.0.0.0
packets coming
On Mon, Mar 12, 2001 at 06:58:07PM -0400, Peter Cordes wrote:
On Mon, Mar 12, 2001 at 06:36:25PM +, Jim Breton wrote:
It does do what you describe; however the original question is about
evil packet _destinations_ and not evil packet _sources._
No, I just checked
On Mon, Mar 12, 2001 at 11:11:40PM +, Jim Breton wrote:
Again, I'm not disagreeing with you. rp_filter and source checking has
nothing to do with the issue though. The question posed was about
packet destinations, and you keep referring to source checks.
Arggghh! Sorry, you're right.
In message [EMAIL PROTECTED], Jim Breton writes:
On Fri, Mar 09, 2001 at 10:09:13PM -0600, Ted Cabeen wrote:
Actually we trap illegal packets like this one in I15lospoof.def.
:#: Deny and log all packets trying to come in from a 127.0.0.0/8 address
:#: over a non-'lo' interface
Hello
"is debian protected beforeconnecting from remote hosts to address
127.0.0.0/8 ?"
On Sat, Mar 10, 2001 at 08:52:08AM -0600, Ted Cabeen wrote:
Ummm, the kernel and every router and swtich on the market will drop
127.0.0.0/8 packets when they see them, unless they're on the lo
On Sat, Mar 10, 2001 at 10:22:48AM -0600, Ted Cabeen wrote:
No. On many routers you have to specify *explicit* spoofing filters.
AFAIK even on CISCO routers.
Really? That's interesting. Does it ship with sensible defaults at the
least?
Can't tell. I'm not the cisco specialist, just saw many
In message [EMAIL PROTECTED], Jim Breton writes:
On Fri, Mar 09, 2001 at 10:09:13PM -0600, Ted Cabeen wrote:
Actually we trap illegal packets like this one in I15lospoof.def.
:#: Deny and log all packets trying to come in from a 127.0.0.0/8 address
:#: over a non-'lo' interface
Double-check
Hello
is debian protected beforeconnecting from remote hosts to address
127.0.0.0/8 ?
On Sat, Mar 10, 2001 at 08:52:08AM -0600, Ted Cabeen wrote:
Ummm, the kernel and every router and swtich on the market will drop
127.0.0.0/8 packets when they see them, unless they're on the lo interface.
In message [EMAIL PROTECTED], Christian Hammers writes:
Hello
is debian protected beforeconnecting from remote hosts to address
127.0.0.0/8 ?
On Sat, Mar 10, 2001 at 08:52:08AM -0600, Ted Cabeen wrote:
Ummm, the kernel and every router and swtich on the market will drop
127.0.0.0/8 packets
On Sat, Mar 10, 2001 at 10:22:48AM -0600, Ted Cabeen wrote:
No. On many routers you have to specify *explicit* spoofing filters.
AFAIK even on CISCO routers.
Really? That's interesting. Does it ship with sensible defaults at the
least?
Can't tell. I'm not the cisco specialist, just saw many
On Sat, Mar 10, 2001 at 10:22:48AM -0600, Ted Cabeen wrote:
if (BADCLASS(daddr) || ZERONET(daddr) || LOOPBACK(daddr))
goto martian_destination;
This is part of the routing check for incoming packets. It should take
care of the problem being discussed. :)
(I
HEllo,
is debian protected beforeconnecting from remote hosts to address
127.0.0.0/8 ?
how?
--
Matus "fantomas" Uhlar, sysadmin at NEXTRA, Slovakia; IRCNET admin of *.sk
[EMAIL PROTECTED] ; http://www.fantomas.sk/ ; http://www.nextra.sk/
If Barbie is so popular, why do you have to buy her
On Fri, Mar 09, 2001 at 08:49:54PM +, Jim Breton wrote:
# deny and log all packets trying to come in from a 127.0.0.0/8 address
# over a non-'lo' interface
Oops. Just occurred to me that this is not what you were asking about.
Why do I do such things?
Anyway.
HEllo,
is debian protected beforeconnecting from remote hosts to address
127.0.0.0/8 ?
how?
--
Matus fantomas Uhlar, sysadmin at NEXTRA, Slovakia; IRCNET admin of *.sk
[EMAIL PROTECTED] ; http://www.fantomas.sk/ ; http://www.nextra.sk/
If Barbie is so popular, why do you have to buy her
On Fri, Mar 09, 2001 at 11:30:23AM +0100, Matus fantomas Uhlar wrote:
HEllo,
is debian protected beforeconnecting from remote hosts to address
127.0.0.0/8 ?
how?
Yes. It uses rp_filter (this is controlled in /proc/sys/... Read
linux/Documentation/filesystems/proc.txt, in the kernel
- is debian protected beforeconnecting from remote hosts to address
- 127.0.0.0/8 ?
-
- how?
-
-
- [amos]:~/# grep spoof-protect /etc/init.d/networking
- if [ -e /etc/network/spoof-protect ]; then
- . /etc/network/spoof-protect
-
- [amos]:~/# grep 127.0.0.1 /etc/network/spoof-protect
-
On Fri, Mar 09, 2001 at 08:47:41AM -0400, Peter Cordes wrote:
Yes. It uses rp_filter (this is controlled in /proc/sys/... Read
Also by:
/etc/ipmasq/rules/I15lospoof.def
if you have the ipmasq package installed:
# deny and log all packets trying to come in from a 127.0.0.0/8 address
# over
On Fri, Mar 09, 2001 at 08:49:54PM +, Jim Breton wrote:
# deny and log all packets trying to come in from a 127.0.0.0/8 address
# over a non-'lo' interface
Oops. Just occurred to me that this is not what you were asking about.
Why do I do such things?
Anyway.
In message [EMAIL PROTECTED], Jim Breton writes:
On Fri, Mar 09, 2001 at 08:49:54PM +, Jim Breton wrote:
# deny and log all packets trying to come in from a 127.0.0.0/8 address
# over a non-'lo' interface
Oops. Just occurred to me that this is not what you were asking about.
Why do I do
30 matches
Mail list logo