From owner-freebsd-ipfw  Sun May 14 19:53:48 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from io.dreamscape.com (io.dreamscape.com [206.64.128.6])
	by hub.freebsd.org (Postfix) with ESMTP id 20B6037B592
	for <freebsd-ipfw@freebsd.org>; Sun, 14 May 2000 19:53:46 -0700 (PDT)
	(envelope-from krentel@dreamscape.com)
Received: from dreamscape.com (sa3-p59.dreamscape.com [207.198.19.123])
          by io.dreamscape.com (8.9.3/8.8.4) with ESMTP
	  id WAA03170 for <freebsd-ipfw@freebsd.org>; Sun, 14 May 2000 22:52:38 -0400 (EDT)
X-Dreamscape-Track-A: sa3-p59.dreamscape.com [207.198.19.123]
X-Dreamscape-Track-B: Sun, 14 May 2000 22:52:38 -0400 (EDT)
Received: (from krentel@localhost)
	by dreamscape.com (8.9.3/8.9.3) id WAA07148
	for freebsd-ipfw@freebsd.org; Sun, 14 May 2000 22:52:36 -0400 (EDT)
	(envelope-from krentel)
Date: Sun, 14 May 2000 22:52:36 -0400 (EDT)
From: "Mark W. Krentel" <krentel@dreamscape.com>
Message-Id: <200005150252.WAA07148@dreamscape.com>
To: freebsd-ipfw@freebsd.org
Subject: rc.firewall rule 200
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

The rc.firewall script adds these rules:

   ${fwcmd} add 100 pass all from any to any via lo0
   ${fwcmd} add 200 deny all from any to 127.0.0.0/8

The second rule blocks packets destined for network 127.  But doesn't
it make more sense to block packets *from* 127.0.0.0/8, that is,
packets trying to spoof localhost?  I'm wondering if the rule should
actually be:

   ${fwcmd} add 200 deny all from 127.0.0.0/8 to any

Also, how does rule 200 (original version) ever get invoked?  The
packet is not going over loopback because of rule 100.  So, why would
a machine forward a packet destined for network 127?

--Mark


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message