From owner-freebsd-security@FreeBSD.ORG  Sun Feb 15 08:11:34 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3D91F16A4CE
	for <freebsd-security@freebsd.org>;
	Sun, 15 Feb 2004 08:11:34 -0800 (PST)
Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 36C7343D1F
	for <freebsd-security@freebsd.org>;
	Sun, 15 Feb 2004 08:11:34 -0800 (PST)
	(envelope-from erschulz@comcast.net)
Received: from 204.127.197.115 ([204.127.197.115])
          by comcast.net (rwcrmhc13) with SMTP
          id <2004021516113401500hrtlve>; Sun, 15 Feb 2004 16:11:34 +0000
Received: from [24.0.202.208] by 204.127.197.115;
	Sun, 15 Feb 2004 16:11:33 +0000
From: erschulz@comcast.net
To: Flemming Jacobsen <fj@batmule.dk>
Date: Sun, 15 Feb 2004 16:11:33 +0000
Message-Id: <021520041611.22703.f3e@comcast.net>
X-Mailer: AT&T Message Center Version 1 (Oct 27 2003)
X-Authenticated-Sender: ZXJzY2h1bHpAY29tY2FzdC5uZXQ=
cc: freebsd-security@freebsd.org
Subject: Re: Localhost traffic and ipfw rules
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Feb 2004 16:11:34 -0000


On Sun, 15 Feb 2004, Flemming Jacobsen wrote:
                                                                                
> You probably want this as your first 3 rules:
>   allow ip from any to any via lo0
>   deny ip from any to 127.0.0.0/8
>   deny ip from 127.0.0.0/8 to any
>
> Some say that the TCP stack already takes care of this, but I
> like these rules in my set - just to be 100% sure.
>

    Sorry about the long lines. I hope this is one better.

    Well, let me see if I can clarify what I am seeing. My rules are
similar but, the counters are not incrementing. That's 
when I started adding the other rules just to see if the counters
would increment. The second rule below is a dead-on match for
the packets I captured with tcpdump. Still, the counters do
not increment.

    0   0 deny ip from any to 127.0.0.0/8 in recv dc0
    0   0 deny tcp from 127.0.0.1 to x.x.x.x tcpflags ack,rst
    0   0 deny ip from 127.0.0.0/8 to x.x.x.x

    As you can see, none of these have incremented. And, this has
been the case every time even though snort identified the traffic
and I captured it with tcpdump. The counters were still zeros.
The traffic is not present on lo0 or my internal interface. It
is only present on my external interface.

    I'm not so much concerned about the traffic as I am with
the failure of the counters to increment.

Thx,
Richard