Subject: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.
To: Darren Reed <>
From: Andrew Brown <>
List: tech-net
Date: 05/06/2000 00:04:06
>> >Looking at the top 10 old PR's which have not been closed, 991 (one that
>> >I'm responsible for :) is now there...and I think it is well past the
>> >time when it should be delt with (there's been enough discussion about
>> >it both in GNATS and here :)
>> >
>> >The patch below introduces net.inet.ip.strictdest and I've set it up to
>> >default to the value of 1 - i.e. to enforce IP#'s to match interfaces.
>> i think the concensus the last time this went around was that this
>> could be done by people that wanted via ipfilter.  a script (perl or
>> sh, i guess) should be able to generate the rules required for this
>> rather easily.
>All IP Filter does is control the flow of packets - this sysctl controls
>whether or not the host recognises a packet as being for itself.  You can
>shore up support to in effect restrict packet flow to be that which matches
>the behaviour of the sysctl variable but that is still not the same.  There
>is a subtle, but I think significant, difference.

pass in quick on lo0
pass out quick on lo0
block in all

combined with

   % netstat -in |
	egrep -v 'Network|Link' |
	awk '{print "pass in on",$1,"from any to",$4}'

ought to do  assuming, of course, that you didn't want to pay
attention to any broadcasts that you received...

>> on the other that i have your attention, is "operator
>> intelligence" the only protection against something like
>>    pass in quick on lo0 to lo0 from any to any
>> ???  i just tried it to see if it would lock up the machine.  and how!
>Hmmm.  I think the answer to this is "yes".

okay.  i'll be more careful.  :)

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."