Filtering loopback connections

[StephanErb]

Inspired by the Server Side Request Forgery security incident described here with important background on HN, I would like to filter access originating and targeting the loopback interface.

In order to achieve this, I would need a mechanism to drop traffic before it is allowed by the interface lo ACCEPT rule (see ferm.conf.j2).

Do you have an idea how this could be implemented?

[drybjed]

@StephanErb Sure, I want to move all different rules currently defined in ferm.conf to separate rule files, this particular set of rules would be moved to filter/input/ subdirectory and included from there.

I'm also looking into a way to selectively disable specific default rules in the firewall in an idempotent way, so that for example you could replace a rule with your own in your own role without the need to mess with debops.ferm and at the same time debops.ferm will not revert the change on the next run.