Block access to 127.0.0.1/localhost and LAN address from the internet

[SARG04]

Hello I suggest blocking all websites on the internet from accessing local resources (localhost/router IP) to prevent the easy exploitation of security vulnerabilitys.

There are many software packages which are running a web server on localhost and if they are not secure they can be attacked from any website. The last bigger issue of this kinde is "logitech Options"
https://bugs.chromium.org/p/project-zero/issues/detail?id=1663

I use Dynamic filtering for some time to block all addresses relevant in my network:

* 127.0.0.1 * block
127.0.0.1 127.0.0.1 * allow
* localhost * block
localhost localhost * allow
* 192.168.0.1 * block
192.168.0.1 192.168.0.1 * allow
* speedport.ip * block
speedport.ip speedport.ip * allow
* 192.168.0.10 * block
192.168.0.10 192.168.0.10 * allow
.....

So I prevent other sites from interactions with servers which are running on my system or my router.

But there are some "legitimate" sites which are using access to a local server e.g. Intel Driver update:
https://www.intel.de/content/www/de/de/support/intel-driver-support-assistant.html

So Dynamic filtering is not the best for a general solution.
So a filter list with the possibility of overwriting some site would be better solution.

I don't know the syntax for filter lists sorry therefore no finished list.

I would suggest blocking external access to Private IP addresses and known router host names:
127.0.0.0/8
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

router host names (which work even if the user changes the router IP)
speedport.ip, congstar.box, fritz.box, routerlogin.com, routerlogin.net, samsung.router, easy.box, arcor.easybox

[mapx-]

@gwarser What do you think about this request ?

[okiehsch]

I suggest blocking all websites on the internet from accessing local resources (localhost/router IP)

I do not see how this is possible without also blocking the local access of the router via one's browser.

[gwarser]

uBO does not support syntax for IP subnets. This will need to be regular expression filter.

!---------
! https://en.wikipedia.org/wiki/Private_network
/^https?://10(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){3}[:/]/$third-party
! http://gamon.webfactional.com/regexnumericrangegenerator/
! http://www.analyticsmarket.com/freetools/ipregex
! 172.16.0.0 – 172.31.255.255
/^https?://172\.(?:1[6-9]|2[0-9]|3[01])(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){2}[:/]/$third-party
/^https?://192\.168(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){2}[:/]/$third-party
!---------
! https://en.wikipedia.org/wiki/Localhost
/^https?://127(?:\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5]))){3}[:/]/$third-party
||::1^$third-party
||localhost^$third-party
!---------
||arcor.easybox^$third-party
||congstar.box^$third-party
||easy.box^$third-party
||fritz.box^$third-party
||hi.link^$third-party
||routerlogin.com^$third-party
||routerlogin.net^$third-party
||samsung.router^$third-party
||speedport.ip^$third-party

And IPv6, and more custom domains. And websockets?

---

And hope for browsers to normalize to https://en.wikipedia.org/wiki/Dot-decimal_notation and not binary/octa/hexa.

---

https://duckduckgo.com/?q=IP+range+regex&t=ffsb&ia=web

---

Userinfo: http://foobar@localhost:8080/

---

https://github.com/gwarser/filter-lists/blob/master/lan-block.txt can be enabled in uBO selection of filter lists.

[okiehsch]

Would blocking third-party requests really prevent "websites on the internet from accessing local resources", which probably means a successfull DNS Rebinding Attack or some other hack has occurred?

[gwarser]

Something can be accessed. I can include image from my 3g modem in webpages. Can be used for tracking/fingerprinting.

[uBlock-user]

Best is to block this via Dynamic Rules. Use cases for this is like few needles in a haystack.

[js290]

Best is to block this via Dynamic Rules. Use cases for this is like few needles in a haystack.

needle found: CVE-2024-2883

[gwarser]

Blocked/restricted. Would "Block Outsider Intrusion into LAN" list prevent this?

---

It's related to https://en.wikipedia.org/wiki/ANGLE_(software)

[uBlock-user]

needle found: CVE-2024-2883

Block via dynamic rules or use gwarser's list.

[gwarser]

Related to Pwn2Own? I see a screenshot with local address in https://www.zerodayinitiative.com/blog/2024/3/21/pwn2own-vancouver-2024-day-two-results (SUCCESS - Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois)...), but it's just probably only the sample page.

https://www.ghacks.net/2024/04/04/another-google-chrome-0-day-vulnerability-fixed-update-asap/