[clug] Enforce SSH tunnel to squid proxy
Martin Pool
mbp at samba.org
Tue Sep 23 17:11:58 EST 2003
On 23 Sep 2003, Sam Couter <sam at couter.dropbear.id.au> wrote:
> Ian Perry <nightweaver at thebhg.org> wrote:
> > Can you bind squid to 127.0.0.1 instead?
>
> Wasn't there a big fuss a while back about Linux letting network packets
> at any interface, even if they didn't come from a network connected to
> that interface? If I'm remembering it correctly, binding to 127.0.0.1
> won't change anything if there's another network interface active.
The 'spoof protect' / rp_filter checks that packets only come in on
the expected interface, where 'expected' is determined by the route
table.
However, even if this check is disabled, it would not be possible to
establish a TCP connection because the acknowledgements would go out
the lo interface.
In normal use if you listen on localhost, you will only see
connections from localhost. If you're worried it is easy to test.
--
Martin
More information about the linux
mailing list