From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sun 15 Aug 2004 - 23:13:11 BST
On Mon, Aug 16, 2004 at 09:55:15AM +1200, Sam Vilain wrote:
> Herbert Poetzl wrote:
> >using 127.X.0.1 with X!=0 seems somewhat strange,
> >what is the idea behind this? 'normal' vservers do
> >not use lo device, because this is a security hole
> >per definition ...
> I thought that sharing the IP address 127.0.0.1 was the security hole,
> and the only thing special about lo is that it is a dummy interface that
> doesn't broadcast anywhere.
hmm, no, the dummyX interface is the dummy interface ;)
the lo interface is the loopback interface, and it
is called so because it immediately 'reflects' any
packet sent to it, thusly allowing any sniffer bound
to that interface to receive the packet ...
this might be avoided by tricky configuration, but
it would kind of defeat the purpose, as the only
ip handled special by linux-vserver networking is
the 127.0.0.1 one ...
> The IP RFC specifies the whole of 127.* for
> local host addresses (of course, glibc has an arguably broken #define of
> INADDR_LOOPBACK = 127.0.0.1, so certain methods of opening a socket (eg,
> ssh port forwarding) break).
> Having said that, the times I've tried to set up vservers on the
> loopback interface firewalling didn't work correctly (IIRC) so maybe it
> is special in some wierd and historic way.
most likely, this happened because linux-vserver
tends to rewrite 127.0.0.1 in certain cases to the
primary ip for that vserver ...
> Vserver mailing list
Vserver mailing list