Re: Loopback and multi-homed routing flaw in TCP/IP stack.

[Lothar Beta <lb () ENTERACT COM>]

Greetinks,

On Mon, Mar 05, 2001 at 07:44:43PM +0000, Woody wrote:
> Subject: Loopback and multi-homed routing flaw in TCP/IP stack.
> Author: Woody <woody () thebunker net>

[snip]

> must be configured, using a firewall, to drop IP packets arriving from
> the wrong network in order to be secure. This is commonly not the
> case.

How commonly? :)

> Known Vulnerable Systems:
>
>         FreeBSD - all releases to date.
>         OpenBSD - all releases to date.
>         NetBSD  - all releases to date.

While I am resisting the urge to argue that standards compliance is not,
in fact, a bug per se, I would like to note for the record...
The default "simple" firewall rules for ipfw in FreeBSD specify that
packets destined for the 127.0.0.0/8 network not coming from the lo0
device will be dropped.  This sort of example provides a mechanism for
avoiding the acceptance of malicious spoofed traffic, without breaking
the kernel's compliance.  Furthermore, utilizing other features of the
IP firewalling code, such attempts could be logged, rather than silently
discarded in the kernel as invalid.  I prefer this solution to patching
the kernel given that some people *expect* compliant behavior, even if
it is not always ideal.

The following three lines in /etc/rc.conf will do as stated above,
for FreeBSD 4.x machines. (and previous, I believe, but I don't have a
3.x or 2.x box around anymore)

firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="SIMPLE"

Raising awareness is good, but it seems there is an architectural
solution already in place under at least one of these three OS
flavors...  Which provides significant flexibility.

Just my two cents,

lb