Re: netmask for loopback interfaces
- In reply to: Rodney W. Grimes: "Re: netmask for loopback interfaces"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 04 Nov 2021 19:10:37 UTC
"Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> wrote:
> > Note, the default FreeBSD firewall rules already have:
> >
> > ${fwcmd} add 100 pass all from any to any via lo0
> > ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
>
> Which no longer work correctly since the "to 127.0.0.0/8"
> packets SHALL go out what ever interface the route table
> tells them to (often the default route), AND NOT lo0.
>
> oot {1003}# route -n get 127.1.1.1
> route to: 127.1.1.1
> destination: 0.0.0.0
> mask: 0.0.0.0
> gateway: 192.168.32.8
> fib: 0
> interface: em0
Hi!
I'm not sure what you mean. The current default rules will stop
anything to 127.0.0.0/8 going anywhere other than via lo0 -
which preserves "current expected behaviour" - I was pointing
out that in reply to Oleksandr's comment:
| /8 mask on loopback prevetnts using of 127.x.x.x network anywhere
| outside of the localhost. This described in RFC 5735 [1] and 1122 [2]
His argument was that putting an /8 on the localhost address would
neatly stop 127/8 traffic going to the LAN - I was pointing out there
are other ways to do this, i.e. routing, and the firewall.
Of course, if FreeBSD relaxes to allow the use of 128/8 outside 128/16,
then these rules will need to be changed..