tech-net: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.

Subject: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.
To: Darren Reed <darrenr@reed.wattle.id.au>
From: Andrew Brown <atatat@atatdot.net>
List: tech-net
Date: 05/05/2000 23:28:20

>Looking at the top 10 old PR's which have not been closed, 991 (one that
>I'm responsible for :) is now there...and I think it is well past the
>time when it should be delt with (there's been enough discussion about
>it both in GNATS and here :)
>
>The patch below introduces net.inet.ip.strictdest and I've set it up to
>default to the value of 1 - i.e. to enforce IP#'s to match interfaces.

i think the concensus the last time this went around was that this
could be done by people that wanted via ipfilter.  a script (perl or
sh, i guess) should be able to generate the rules required for this
rather easily.

on the other hand...now that i have your attention, is "operator
intelligence" the only protection against something like

   pass in quick on lo0 to lo0 from any to any

???  i just tried it to see if it would lock up the machine.  and how!

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."