lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160109035708.5251154.82433.21820@gmail.com>
Date:	Fri, 08 Jan 2016 22:57:08 -0500
From:	prmarino1@...il.com
To:	Hannes Frederic Sowa <hannes@...essinduktion.org>,
	Robert Sander <r.sander@...nlein-support.de>,
	netfilter@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: Configure ICMP error source address

 The reason why is in the kernel documentation distributed with the source code.
‎Its not all immediately obvious why and where the kernel does this unless you were involved in the original debates about it. The problems with binding a public ip address to a loopback address are more recently is partialy selinux but mostly of it is because of how routing changed when iproute2 was introduced in the 2.2 kernel (if I remember the versions correctly it was so long ago). The reason is security, many processes bind to the loopback interface for IPC and just grab the first address on the first lo device they find, some of the developers of the applications weren't even aware they were doing it because in some cases it was C libraries several layers deep doing it because odd loopback addresses were common on UNIX ( I remember an AIX admin back in the early 90's telling me I should always use addresses like 127.1.0.2 on the loopback because it was valid made it harder for script kiddies to attack processes ). This was fine when additional addresses would need additional alias on the interface for ifconfig (lo:1 for example) but with iproute2 you could now assign multiple ip addresses to an interface without creating an alias (commonly seen on the keepalived mailing list "why doesn't my VIP show up in ifconfig?")
So there was a decision made to declare all subnets assigned to the loopback interface as unroutable to prevent a lot of very common security holes that were being seen in the wild.

That said you can make it work but you have to do a lot of things you should never do on a firewall like turn off selinux.‎ Or you can simply use the dummy driver and bind your public IP's to that and the problems magically go away. And it makes a lot of sense why else would there be a need for the dummy network driver?


  Original Message  
From: Hannes Frederic Sowa
Sent: Friday, January 8, 2016 11:11
To: prmarino1@...il.com; Robert Sander; netfilter@...r.kernel.org; netdev@...r.kernel.org
Subject: Re: Configure ICMP error source address

On 08.01.2016 16:24, prmarino1@...il.com wrote:
> Don't put a public address on a lo device use a dummy eth interface instead‎. Any IP address and it's subnet assigned to a lo device is marked as a marcian address and the traffic is dropped if it tries to leave the lo device.

O_o

> I know that there is som old documentation out there (for example quagga's documentation) that says you can do it ‎but it's been wrong since the 2.4 version off the kernel.
> Linux treats the lo device differently that what routers call a loopback device. The dummy driver is the linux equivalent of what routers call a loopback device.

What you write seems odd to me, we don't treat lo devices differently to 
dummy devices in respect if you bind a public ip address on it.

Bye,
Hannes



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ