Re: [luv-beginners] Network question

14 Sep 2019

      Peter Wolf via luv-beginners wrote:
...
I want to know if the following output is indicative of a healthy
computer system.The command is "netstat -t" .
I am worried about the apparent circular reference with localhost.
On GNU/Linux "netstat" has been deprecated for over a decade.
You should use "ss" instead.
See also https://en.wikipedia.org/wiki/iproute2

It is perfectly normal for a host to talk to itself.
That's what the loopback interface, and the 127.0.0.0/8 address range, is for.

Here's a host I have:

    root@tweak:~# ss -n | grep -e ^Netid  -e 127.*127
    Netid  State      Recv-Q Send-Q Local Address:Port               Peer Address:Port
    udp    ESTAB      0      0      127.0.0.1:53520              127.0.0.1:60044
    udp    ESTAB      0      0      127.0.0.1:43282              127.0.0.1:43282
    udp    ESTAB      0      0      127.0.0.1:60044              127.0.0.1:53520
    tcp    CLOSE-WAIT 55     0      127.0.0.1:37780              127.0.0.1:10025
    tcp    ESTAB      0      0      127.0.0.1:47327              127.0.0.1:54637
    tcp    ESTAB      0      0      127.0.0.1:32843              127.0.0.1:37867
    tcp    ESTAB      0      0      127.0.0.1:54637              127.0.0.1:47327
    tcp    ESTAB      0      0      127.0.0.1:37867              127.0.0.1:32843

If you run ss with -p (as root) you can see what the processes in question are.
For example, I see these (hand-elided and hand-wrapped):

    root@tweak:~# ss -np | grep -e ^Netid  -e 127.*127
    ... users:(("pinger",pid=7557,fd=1),
               ("pinger",pid=7557,fd=0))
    ... users:(("postgres",pid=15895,fd=10),
               ("postgres",pid=15894,fd=10),
               ("postgres",pid=15893,fd=10),
               ("postgres",pid=15892,fd=10),
               ("postgres",pid=15891,fd=10),
               ("postgres",pid=15889,fd=10))
    ... users:(("squid",pid=27687,fd=11))
    ... users:(("/usr/sbin/amavi",pid=29179,fd=14))
    ... users:(("squid-acl-check",pid=7559,fd=1),
               ("squid-acl-check",pid=7559,fd=0))
    ... users:(("squid",pid=27687,fd=21))
    ... users:(("squid",pid=27687,fd=18))
    ... users:(("squid-acl-check",pid=7560,fd=1),
               ("squid-acl-check",pid=7560,fd=0))

i.e. right now squid and amavis are using the loopback interface.
NFS is another obvious candidate.
DNS via systemd-resolved (without libnss-resolve) also needs lo.

I *think* dbus stuff happens via unix sockets, so
won't appear on the loopback interface, but
you can see it in ss using -x.

You can see how much relies on the loopback interface by turning it
off and watching things break (DON'T DO THIS to a production host):

    sudo ip link set lo down

Re: [luv-beginners] Network question

Trent W. Buck