I've currently got a loopback rule that allows any UDP/TCP in both directions to and from 127.0.0.1.
I get prompts from my FW (Tiny v2) about loopback traffic to/from the IP assigned to me by my ISP, this IP is dynamic. Is there a way to create a local loopback rule that allows traffic to/from all IPs assigned to the local machine?
it is IMPOSSIBLE for anyone on the interet to access any port on the loopback address 127.0.0.1 This address is 'non-routable' across the internet and can only be used by the local-host.
In Windows, you may well see a proxy on this address, but it also has a port on the system ip-address. Your email client will access the loopback:port and the proxy will forward to the isp over the non-loopback address.
two generic rule at the top of the firewall are usefull to reduce the processing done by the fireall:
1) allow i/o 127.0.0.1 tcp+udp #anything local is ok
2) allow i/o lan-lan tcp+upd #your lan is ok too and substitue a valid ip address range for lan-lan
"IMPOSSIBLE" ? Even if one goes in on the same segment and creates a raw packet with the destination machine's MAC and 127.0.0.1 as the IP ? Especially if the destination happens to be in promiscuous mode?
Obviously this would not be in accordance with the standards, but that's a bit different than "IMPOSSIBLE".
Like all things, it depends upon what you know about the environment. In my case, there's no exposure from other systems, even guests systems, due to mapping a portion of the lan via MAC and reducing (2) to that subset. All systems above my last static ip is then caught by the default deny.
if the source ip is not also 127.*.*.*, TCP will not route that packet. So like Windows is prone to due, ports can be created on 127.0.0.1 and service any local program. Requests even from 127.x.y.z can reach
127.0.0.1 services. All other source addresses will not be routed. ergo : it is IMPOSSIBLE for anyone on the internet to access any port on the loopback address 127.0.0.1
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.