Is default filter rule "accept to local loopback (for CAPsMAN)" safe?

Batman · November 24, 2023, 3:54am

In the default firewall filter rule set there is one rule that makes me wonder if it is safe:

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

Why there is not at least

in-interface-list=!WAN

?

ghostinthenet · November 24, 2023, 11:39pm

Loopback addresses aren’t routable. Any traffic to a loopback address from any device will arrive on itself, so traffic for that address will never arrive on an interface. It’s pretty safe.

I suppose someone could generate forged packets from a directly connected network. If you’re worried about it, add “in-interface-list=all” to the rule to block anything that originates off-device.

Moba · November 24, 2023, 11:52pm

Like previously said, 127.0.0.1 is a special address for the local computer connecting to itself, and !WAN means not from WAN. The default filter rules are solid and shouldn’t be changed unless you know what the rules are doing.

Batman · November 25, 2023, 2:38am

You mean “in-interface-list=none”?

ghostinthenet · November 25, 2023, 12:54pm

Right. Sorry about that. I was thinking in terms of a drop rule and not an accept rule for some reason.

Batman · November 26, 2023, 10:00am

Thanks for the comments.

I’ve made more research and apparently the default rule is safe without any modifications. This is because router automatically discards packet if its destination IP address is not the same as router’s IP in the network the packet is coming from.

Though I’m not 100% sure of this but I can live with it

ghostinthenet · November 26, 2023, 1:11pm

This isn’t quite true. By default, the router will accept traffic for any of its interface’s addresses regardless of which interface it arrives on. It’s fairly common practice for a router to be managed using a loopback bridge, which wouldn’t work if it were dropping packets arriving on other interfaces.

You’re still safe, but it’s because traffic to that specific 127.0.0.1 address can’t be routed.

Batman · November 28, 2023, 12:13am

Thanks for correcting.

Apparently a packet from network with destination IP 127.0.0.1 is called Martian packet and it’s been defined in the Internet protocol suite that these packets must be dropped, not by user but by operating system. So there’s an unknown process involved that handles the dropping. That’s why network traffic to 127.0.0.1 is called “not routable” and there’s no need to use custom made firewall filter for this.