Bugtraq mailing list archives
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
From: Lothar Beta <lb () ENTERACT COM>
Date: Mon, 5 Mar 2001 21:57:49 -0800
Greetinks, On Mon, Mar 05, 2001 at 07:44:43PM +0000, Woody wrote:
Subject: Loopback and multi-homed routing flaw in TCP/IP stack. Author: Woody <woody () thebunker net>
[snip]
must be configured, using a firewall, to drop IP packets arriving from the wrong network in order to be secure. This is commonly not the case.
How commonly? :)
Known Vulnerable Systems: FreeBSD - all releases to date. OpenBSD - all releases to date. NetBSD - all releases to date.
While I am resisting the urge to argue that standards compliance is not, in fact, a bug per se, I would like to note for the record... The default "simple" firewall rules for ipfw in FreeBSD specify that packets destined for the 127.0.0.0/8 network not coming from the lo0 device will be dropped. This sort of example provides a mechanism for avoiding the acceptance of malicious spoofed traffic, without breaking the kernel's compliance. Furthermore, utilizing other features of the IP firewalling code, such attempts could be logged, rather than silently discarded in the kernel as invalid. I prefer this solution to patching the kernel given that some people *expect* compliant behavior, even if it is not always ideal. The following three lines in /etc/rc.conf will do as stated above, for FreeBSD 4.x machines. (and previous, I believe, but I don't have a 3.x or 2.x box around anymore) firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="SIMPLE" Raising awareness is good, but it seems there is an architectural solution already in place under at least one of these three OS flavors... Which provides significant flexibility. Just my two cents, lb
Current thread:
- Re: Loopback and multi-homed routing flaw in TCP/IP stack., (continued)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. MaD dUCK (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. J. Bol (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kyle Sparger (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Kurt Seifried (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. MaD dUCK (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Neil W Rickert (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Litchfield (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Robert Collins (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lincoln Yeoh (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Message not available
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lars Mathiesen (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Damerell (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Martin Macok (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. 3APA3A (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. bert hubert (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Crist Clark (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Woody (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lupe Christoph (Mar 07)