Hello,
This is indeed *very* unlikely, but I am okay with this patch being accepted.
Acked-by: Michael Tremer michael.tremer@ipfire.org
Best, -Michael
On 13 May 2020, at 21:21, Peter Müller peter.mueller@ipfire.org wrote:
This ensures traffic on the loopback interface matches the IPv4 loopback characteristics (source and destination are within 127.0.0.0/8) and prevents any damage in the unlikely case of non-loopback traffic being injected/emitted (in)to the loopback interface.
Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 00512d9fa..409aaf7a9 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -219,10 +219,10 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
- # Accept everything on loopback
- # Accept everything on loopback if both source and destination are within 127.0.0.0/8 iptables -N LOOPBACK
- iptables -A LOOPBACK -i lo -j ACCEPT
- iptables -A LOOPBACK -o lo -j ACCEPT
iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
# Filter all packets with loopback addresses on non-loopback interfaces. iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
-- 2.26.1