Creating a loopback rule for all IP's bound to a machine?

it is IMPOSSIBLE for anyone on the interet to access any port on the loopback address 127.0.0.1 This address is 'non-routable' across the internet and can only be used by the local-host.

In Windows, you may well see a proxy on this address, but it also has a port on the system ip-address. Your email client will access the loopback:port and the proxy will forward to the isp over the non-loopback address.

two generic rule at the top of the firewall are usefull to reduce the processing done by the fireall:

1) allow i/o 127.0.0.1 tcp+udp #anything local is ok 2) allow i/o lan-lan tcp+upd #your lan is ok too and substitue a valid ip address range for lan-lan

"IMPOSSIBLE" ? Even if one goes in on the same segment and creates a raw packet with the destination machine's MAC and 127.0.0.1 as the IP ? Especially if the destination happens to be in promiscuous mode?

Obviously this would not be in accordance with the standards, but that's a bit different than "IMPOSSIBLE".

OK.

You cannot say this in general.

Yours, VB.

Like all things, it depends upon what you know about the environment. In my case, there's no exposure from other systems, even guests systems, due to mapping a portion of the lan via MAC and reducing (2) to that subset. All systems above my last static ip is then caught by the default deny.

if the source ip is not also 127.*.*.*, TCP will not route that packet. So like Windows is prone to due, ports can be created on 127.0.0.1 and service any local program. Requests even from 127.x.y.z can reach

127.0.0.1 services. All other source addresses will not be routed. ergo : it is IMPOSSIBLE for anyone on the internet to access any port on the loopback address 127.0.0.1