|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Paul de Weerd (weerd
weirdnet.nl)
Date: Fri Dec 21 2007 - 18:31:25 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Replying to myself, I know.
On Sat, Dec 22, 2007 at 12:53:02AM +0100, Paul de Weerd wrote:
| [trying another way to do the same]
| $ sudo route add 0.0.0.0 -netmask 255.0.0.0 -blackhole 127.0.0.1
| add net 0.0.0.0: gateway 127.0.0.1
After adding this route, I see another (possibly related) bug :
$ netstat -rnf inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default 127.0.0.1 UGBS 0 3 33208 lo0
default 192.0.2.1[*] UGS 6 29706 - vr0
I'm not quite sure where this bug lies, but "somewhere" OpenBSD
considers 0/8 to be the default route - even if it's not (the first
route is about 0/8, seems to me that only routes with a /0 netmask
should be called 'default').
| +# Before configuring any non-loopback interfaces, blackhole traffic to
| +# 0/8 which should never hit the wire according to Stevens
| +route add 0.0.0.0 -netmask 255.0.0.0 -blackhole 127.0.0.1
To clarify, this will prevent the OpenBSD machine from ever sending
out traffic on the wire that is destined for 0.0.0.0/8.
| According to Stevens (this time in Volume 2), this check is there for
| compatibility with stacks that were derived from 4.2BSD which
| considered INADDR_ANY a broadcast address (weird, since in Volume 1 he
| says 0/8 should never be on the wire). But anyway, for sending, 0/32
| is not considered a broadcast as OpenBSD machines happily send this
| traffic to their default gateway (or a more specific route, hence the
| above change to /etc/netstart) so why do we still consider it to be so
| in ip_input ?
Again, to clarify : an OpenBSD router will reply to pings to 0.0.0.0
because it considers it a broadcast-address when receiving. When
sending traffic to this address (which works when using raw sockets
but (correctly) gives you EINVAL for TCP (unlike some flawed
implementations (linux, solaris, maybe others) that consider 0.0.0.0
to be localhost)), the traffic should never leave the machine for
obvious reasons.
So, the two things I suppose should be fixed are :
o Sending traffic out on the wire destined for 0.0.0.0/8
o Replying to packets destined to 0.0.0.0
For a minute there, I seemed to remember OpenBSD routers actually
forwarding traffic for addresses in 0/8 other than 0.0.0.0, but my
quick tests show that this is not happening. I'm assuming this is not
pf dropping such traffic (since I'm testing this stuff with my home
router which NATs to the outside world).
Cheers,
Paul 'WEiRD' de Weerd
[*]: That is not actually my default gateway.
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]