Subject: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.
To: Darren Reed <>
From: Andrew Brown <>
List: tech-net
Date: 05/05/2000 23:28:20
>Looking at the top 10 old PR's which have not been closed, 991 (one that
>I'm responsible for :) is now there...and I think it is well past the
>time when it should be delt with (there's been enough discussion about
>it both in GNATS and here :)
>The patch below introduces net.inet.ip.strictdest and I've set it up to
>default to the value of 1 - i.e. to enforce IP#'s to match interfaces.

i think the concensus the last time this went around was that this
could be done by people that wanted via ipfilter.  a script (perl or
sh, i guess) should be able to generate the rules required for this
rather easily.

on the other that i have your attention, is "operator
intelligence" the only protection against something like

   pass in quick on lo0 to lo0 from any to any

???  i just tried it to see if it would lock up the machine.  and how!

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."