From owner-freebsd-ipfw Sun May 14 19:53:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from io.dreamscape.com (io.dreamscape.com [206.64.128.6]) by hub.freebsd.org (Postfix) with ESMTP id 20B6037B592 for ; Sun, 14 May 2000 19:53:46 -0700 (PDT) (envelope-from krentel@dreamscape.com) Received: from dreamscape.com (sa3-p59.dreamscape.com [207.198.19.123]) by io.dreamscape.com (8.9.3/8.8.4) with ESMTP id WAA03170 for ; Sun, 14 May 2000 22:52:38 -0400 (EDT) X-Dreamscape-Track-A: sa3-p59.dreamscape.com [207.198.19.123] X-Dreamscape-Track-B: Sun, 14 May 2000 22:52:38 -0400 (EDT) Received: (from krentel@localhost) by dreamscape.com (8.9.3/8.9.3) id WAA07148 for freebsd-ipfw@freebsd.org; Sun, 14 May 2000 22:52:36 -0400 (EDT) (envelope-from krentel) Date: Sun, 14 May 2000 22:52:36 -0400 (EDT) From: "Mark W. Krentel" Message-Id: <200005150252.WAA07148@dreamscape.com> To: freebsd-ipfw@freebsd.org Subject: rc.firewall rule 200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The rc.firewall script adds these rules: ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 The second rule blocks packets destined for network 127. But doesn't it make more sense to block packets *from* 127.0.0.0/8, that is, packets trying to spoof localhost? I'm wondering if the rule should actually be: ${fwcmd} add 200 deny all from 127.0.0.0/8 to any Also, how does rule 200 (original version) ever get invoked? The packet is not going over loopback because of rule 100. So, why would a machine forward a packet destined for network 127? --Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message