diff options
author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-03-04 23:40:04 +0000 |
---|---|---|
committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-03-04 23:40:04 +0000 |
commit | 52ee084d78d1cb168b9a28685df99485331a4386 (patch) | |
tree | c2a114e8be25c4d4d03557f9718deb9d66beab20 | |
parent | c4df9e14f8f7eb664b6d139147020d25d862ced7 (diff) |
Add a paragraph explaining possible unwanted side-effects of redirecting
to the loopback address.
-rw-r--r-- | share/man/man5/pf.conf.5 | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 8f18398d7e3..ceb95e98568 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.207 2003/03/04 22:50:36 deraadt Exp $ +.\" $OpenBSD: pf.conf.5,v 1.208 2003/03/04 23:40:03 dhartmei Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -843,6 +843,22 @@ Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself. .Pp +Note that redirecting external incoming connections to the loopback +address, as in +.Bd -literal -offset indent +.Xo Ic rdr on ne3 inet proto tcp\ +.Ic to port 8025 -> 127.0.0.1 port 25 +.Xc +.Ed +.Pp +will effectively allow an external host to connect to daemons +bound solely to the loopback address, circumventing the traditional +blocking of such connections on a real interface. +Unless this effect is desired, any of the local non-loopback addresses +should be used as redirection target instead, which allows external +connections only to daemons bound to this address or not bound to +any address. +.Pp .Sh PACKET FILTERING .Xr pf 4 has the ability to |