A few years back my college lecturer suggested that the most secure way to setup a (linux) firewall is to not have any loopback (lo) interface and hence it cannot run any local services but only forward traffic back and forth, etc. Obviously you would then have to manage the host from the console.
Someone has a severe concept/nomenclature problem. The presence or absence of a loopback interface has nothing to do with the services that are being offered. The loopback is how the computer talks to _itself_ and if the loopback is vulnerable, it's because someone already 0wnZ the computer.
What is probably being talked about is not offering any services, OR limiting access to such services to specific internal hosts. Another concept is that there is no access FROM the firewall to any other system inside OR out - that is, the firewall is not considered a trusted system.
Gee, my home firewall is an old laptop that doesn't have a case, keyboard or display and offers no network services. Wonder why that works.
formatting link
and search for "Practical Unix & Internet Firewalls" by Zwicky, et.al.
Linux does not bind to the loopback interface like Windows misguidedly does. Linux/Unix programs bind to the address found by gethostbyname( gethostname() ).
In this manner, any program that can create a port on the NIC, is instantly usable both publically and internally.
Internal services are accessed by FIFOs, SHMAT {ie shared seggments} or the AF-UNIX domain kind of sockets {not AF-TCP-ip public sockets }
hint: read the book(s) for youself and/or verify what you read/hear -- including this! :-)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.