- Subject: Re: comments about local loopback interface rule granularity
- From: Jan Engelhardt <jengelh@xxxxxxxxxx>
- Date: Tue, 13 Mar 2012 16:06:16 +0100 (CET)
- Cc: netfilter@xxxxxxxxxxxxxxx
- In-reply-to: <CAMmbHwnH1YSW8vFJu2aoFSnY-vSDRS9KtGdhSe2G=tdyhGgmsg@mail.gmail.com>
- User-agent: Alpine 2.01 (LNX 1266 2009-07-14)
On Tuesday 2012-03-13 15:28, paddy joesoap wrote:
>Hi all,
>
>What is the correct local loopback iptables rules for a single hosted
>firewall (laptop)?
>
>I often see the following:
>
>iptables -A INPUT -i lo -j ACCEPT
>iptables -A OUTPUT -o lo -j ACCEPT
>
>where a default DROP policy is applied to both INPUT and OUTPUT chains.
>
>I notice with this configuration I can ping the localhost (as
>expected) but I also can ping the local IP address of the machine!
Well that's the whole point of loopback.
>Why is this this the case with respect to the local IP address?
>
>Is this the correct set of rules?
No, because your local host has more addresses than just 127.0.0.1/32,
and they very well want to be accessible.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Linux Networking Development]
[Linux Kernel Development]
[Linux Resources]
[LARTC]
[Bugtraq]
[Consulting]
[Free Internet Dating]
[Yosemite Forum]
[Photo]
