Adam Majer wrote:
> Christian Balzer wrote:
>
>> Anyways, I searched the archives and other than this question/quest
>> from 2006 (without an answer) I came up blank:
>> --- Alexander Kabanov wrote:
>> the only reason why I would like to have some kind of local/internal
>> interface inside a guest - let people bind services to something that
>> is not accessible from outside and from other guests on the host
>> server.
>>
>
> I don't think there is a need for lo interface at all. In my case, I've
> added a local class C network to the dummy interface (ie. packets go
> though lo).
Let me make sure I understand. You don't think there is a need for a
lo interface but then you go and create one because you need it.. Huh?
> Then there is a public interface with few public IP
> addresses. I manage the access to entire thing and one vserver to
> another via iptables. I only use private IP addresses because it makes
> sense economically - IPv6 will make that choice obsolete.
>
> lo interface only makes sense if you do not want to use a firewall.
The lo interface also makes sense when your network applications expect
it to be there.
These applications by convention also expect lo to be 'safe' i.e.
packets stay within the server,
without requiring any firewall.
> A vserver running server without a firewall to control internal traffic is
> a bad thing, IMHO.
>
Perhaps, but changing the networking/security context of every
application is much worse.
The convention of using lo/127.x.x.x works, why would you want to break
it just so you can
then firewall it?
Apologies if I've misunderstood your argument, but to me it sounds like
crazy talk ;-)
-- Jason
Received on Wed Feb 6 00:10:51 2008