Marko Karppinen <marko@karppinen.fi> writes:
> On 17. touko 2004, at 10:40, Tatsuo Ishii wrote:
> > Consider a program using JDBC on localhost. It can only reach to
> > PostgreSQL via TCP/IP.
Huh? Why on earth would that be true? Is this a limitation of our JDBC
drivers?
> Ah! Of course. That makes sense, and listening on 127.0.0.1 never
> hurt anyone (except, of course, the tinfoil hat crowd nmapping
> localhost in a frenzy...)
Actually on many systems it was very possible to send packets to a machine
with a source address of 127.0.0.1 even over external networks or through
routers. Making an attack out of this on a TCP service would be difficult, but
it has been done.
Good OS distributions install network filters by default to refuse such
packets, but lots of OSes still don't do this.
--
greg