Cleanest way to deal with loopback interface?

Christian Seberino seberino at
Mon Apr 18 22:09:05 CEST 2005


I tried to understand this attack but it was over my head.
The message is simply that
I should only allow loopback traffic whose source
and destination addresses are right??


              -s -d -j ACCEPT
              -s -d -j ACCEPT

This is safe Right?


On Wed, 2005-04-13 at 18:09, Taylor Grant wrote:
> > allow traffic on the loopback interface unconditionally,  and allow the
> > linux routing code 'martian' checks to drop packets received
> > 'on the wire' as it does by default.
> I don't think this is such a good idea.  I could reconfigure my system such that it's loop back interface was not in the network and set a route to the network to be via your IP on the LAN.  Assuming that your system and my system were on the same LAN and subnet and we could ping each other I would be able to access your address as your kernel would forward traffic to the loop back network in your system.
> Grant. . . .

More information about the netfilter mailing list