From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] firewall: Accept traffic on loopback interface if source
 and destination are within 127.0.0.0/8 only
Date: Thu, 14 May 2020 11:36:54 +0100
Message-ID: <4CDCB419-19D8-4F2A-B504-2873436B9F28@ipfire.org>
In-Reply-To: <01be0c7f-555e-a788-9b79-344fc3a05d34@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6627752015121600608=="
List-Id: <development.lists.ipfire.org>

--===============6627752015121600608==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

This is indeed *very* unlikely, but I am okay with this patch being accepted.

Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

Best,
-Michael

> On 13 May 2020, at 21:21, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> This ensures traffic on the loopback interface matches the IPv4
> loopback characteristics (source and destination are within 127.0.0.0/8)
> and prevents any damage in the unlikely case of non-loopback traffic
> being injected/emitted (in)to the loopback interface.
>=20
> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>=20
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew=
all
> index 00512d9fa..409aaf7a9 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -219,10 +219,10 @@ iptables_init() {
> 	iptables -A INPUT -j ICMPINPUT
> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>=20
> -	# Accept everything on loopback
> +	# Accept everything on loopback if both source and destination are within=
 127.0.0.0/8
> 	iptables -N LOOPBACK
> -	iptables -A LOOPBACK -i lo -j ACCEPT
> -	iptables -A LOOPBACK -o lo -j ACCEPT
> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> +	iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
>=20
> 	# Filter all packets with loopback addresses on non-loopback interfaces.
> 	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
> --=20
> 2.26.1


--===============6627752015121600608==--