From owner-freebsd-stable@FreeBSD.ORG Mon Sep 22 03:40:03 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E07916A4B3 for ; Mon, 22 Sep 2003 03:40:03 -0700 (PDT) Received: from fep01-app.kolumbus.fi (fep01-0.kolumbus.fi [193.229.0.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78E0943FE3 for ; Mon, 22 Sep 2003 03:40:01 -0700 (PDT) (envelope-from pertti.kosunen@kolumbus.fi) Received: from osbsd ([80.186.61.250]) by fep01-app.kolumbus.fi with SMTP id <20030922103959.NCEQ25024.fep01-app.kolumbus.fi@osbsd>; Mon, 22 Sep 2003 13:39:59 +0300 Message-ID: <00b801c380f5$aaef7af0$0b00000a@arenanet.fi> From: "Pertti Kosunen" To: "Kris Kennaway" References: <030501c37f99$4beb9500$0b00000a@arenanet.fi> <20030920210527.GB38264@rot13.obsecurity.org> Date: Mon, 22 Sep 2003 13:38:30 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Sonic Foundry Sound Forge 6.00 Build 132 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-stable@freebsd.org Subject: Re: [snort] BAD-TRAFFIC loopback traffic 4.9-PRE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2003 10:40:03 -0000 >> What could cause this loopback traffic? > > Forged source address on a network with no egress filtering. > > Kris Ok i put the ipfw on with the default simple mode. ipfw -a l 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any ... Still get this: tcpdump: listening on xl0 12:51:15.736517 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > out.ip.1165: R 0:0(0) ack 1416364033 win 0 12:51:19.092168 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > out.ip.1284: R 0:0(0) ack 72679425 win 0 12:52:32.717702 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > out.ip.1667: R 0:0(0) ack 1243086849 win 0 0:90:1a:40:1f:db Is default gateways (ISP) mac address, xl0 0:50:da:ca:61:e9 is my outside net card. Is this normal traffic and what i should check next?