Why is 255 off limits? What is 127.0.0.0 used for?
Hypothetically you’re working on an application but you don’t want that application exposed to the internet, you would use localhost to either expose it to 1 machine on your network or network wide by opening a port and telling the application to listen on the private IP assigned by your router.
Advanced setup would include a reverse proxy to forward the requests from the applications port to the internet, the reverse proxy would use port 80:80 (http) & 443:433 (https), so the flow would look a little like this -
Internet > Reverse Proxy listening on 80:80 & 443:443 > Application listening on 8080:8080
—-
Why does it span to .254? Well this is another advanced setup but if you wanted to segregate two application on different subnets you can. I’m not sure if there is a security benefit by adding the extra hop but the option is there.
Why is 255 off limits? What is 127.0.0.0 used for?
To clarify, I meant that specific address - if the range starts at 127.0.0.1 for local, then surely 127.0.0.0 does something (or is reserved to sometimes do something, even if it never actually does in practice), too.
Advanced setup would include a reverse proxy to forward the requests from the applications port to the internet
I use Traefik as my reverse proxy, but I have everything on subdomains for simplicity’s sake (no path mapping except when necessary, which it generally isn’t). I know 127.0.0.53 has special meaning when it comes to how the machine directs particular requests, but I never thought to look into whether Traefik or any other reverse proxy supported routing rules based on the IP address. But unless there’s some way to specify that IP and the IP of the machine, it would be limited to same device communications. Makes me wonder if that’s used for any container system (vs the use of the 10, 172.16-31, and 192.168 blocks that I’ve seen used by Docker).
Well this is another advanced setup but if you wanted to segregate two application on different subnets you can. I’m not sure if there is a security benefit by adding the extra hop
Is there an extra hop when you’re still on the same machine? Like an extra resolution step?
I still don’t understand why .255 specifically is prohibited. 8 bits can go up to 255, so it seems weird to prohibit one specific value. I’ve seen router subnet configurations that explicitly cap the top of the range at .254, though - I feel like I’ve also seen some that capped at .255 but I don’t have that hardware available to check. So my assumption is that it’s implementation specific, but I can’t think of an implementation that would need to reserve all the .255 values. If it was just the last one, that would make sense - e.g., as a convention for where the DHCP server lives on each network.
To add to this - localhost spans 127.0.0.1-127.254.254.254
Why is 255 off limits? What is 127.0.0.0 used for?
To my limited knowledge: If it ends in .0 it’s the network identifier. If it ends in .255 it’s the broadcast address.
Thank you! That gives me a starting point that should be easy to look up!
Hypothetically you’re working on an application but you don’t want that application exposed to the internet, you would use localhost to either expose it to 1 machine on your network or network wide by opening a port and telling the application to listen on the private IP assigned by your router.
Advanced setup would include a reverse proxy to forward the requests from the applications port to the internet, the reverse proxy would use port 80:80 (http) & 443:433 (https), so the flow would look a little like this -
Internet > Reverse Proxy listening on 80:80 & 443:443 > Application listening on 8080:8080
—-
Why does it span to .254? Well this is another advanced setup but if you wanted to segregate two application on different subnets you can. I’m not sure if there is a security benefit by adding the extra hop but the option is there.
To clarify, I meant that specific address - if the range starts at 127.0.0.1 for local, then surely 127.0.0.0 does something (or is reserved to sometimes do something, even if it never actually does in practice), too.
I use Traefik as my reverse proxy, but I have everything on subdomains for simplicity’s sake (no path mapping except when necessary, which it generally isn’t). I know 127.0.0.53 has special meaning when it comes to how the machine directs particular requests, but I never thought to look into whether Traefik or any other reverse proxy supported routing rules based on the IP address. But unless there’s some way to specify that IP and the IP of the machine, it would be limited to same device communications. Makes me wonder if that’s used for any container system (vs the use of the 10, 172.16-31, and 192.168 blocks that I’ve seen used by Docker).
Is there an extra hop when you’re still on the same machine? Like an extra resolution step?
I still don’t understand why .255 specifically is prohibited. 8 bits can go up to 255, so it seems weird to prohibit one specific value. I’ve seen router subnet configurations that explicitly cap the top of the range at .254, though - I feel like I’ve also seen some that capped at .255 but I don’t have that hardware available to check. So my assumption is that it’s implementation specific, but I can’t think of an implementation that would need to reserve all the .255 values. If it was just the last one, that would make sense - e.g., as a convention for where the DHCP server lives on each network.
The highest (all 1s in binary) host address in a network (last octet in /24) is the broadcast address, it is send to all host in the network.
…but why?
Let’s say you want to test a network service like a webserver (https://www.mywebserver.com/) on the same computer as the browser.
It was designed that way. This span of addresses should not be used for anything other than localhost-ery.
May seem like a wide span, but at the time that it was designed they didn’t anticipate needing every single address