From owner-freebsd-questions@FreeBSD.ORG Thu Apr 10 19:50:11 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CFA781065671 for ; Thu, 10 Apr 2008 19:50:11 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.freebsd.org (Postfix) with ESMTP id 931648FC19 for ; Thu, 10 Apr 2008 19:50:11 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.2/8.14.2) with ESMTP id m3AJoALo048837 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 10 Apr 2008 14:50:10 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.2/8.14.2/Submit) id m3AJoAuv048826; Thu, 10 Apr 2008 14:50:10 -0500 (CDT) (envelope-from dan) Date: Thu, 10 Apr 2008 14:50:10 -0500 From: Dan Nelson To: Rob Message-ID: <20080410195010.GB4704@dan.emsphone.com> References: <47FE5EC1.7000809@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47FE5EC1.7000809@gmail.com> X-OS: FreeBSD 7.0-STABLE User-Agent: Mutt/1.5.17 (2007-11-01) Cc: FreeBSD Questions Subject: Re: ipfw denial log - what's this mean? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2008 19:50:11 -0000 In the last episode (Apr 10), Rob said: > Hi Everyone, > > My 6.2-Release system coughed up a report of denied packets from ipfw > in its daily security run: > > ipfw denied packets: > +++ /tmp/security.gnkQg5CA Thu Apr 10 03:04:15 2008 > +00200 12 795 deny ip from any to 127.0.0.0/8 > > What does this mean? I understand that's the loopback interface, but > I'm not terribly knowledgeable on ipfw. Is this some crack attempt, > or normal background noise? I don't understand how lo0 would ever > see any IP addresses other than its own?! > > The whole rule set looks like this: > > # ipfw show > 00100 4749394 1011660210 allow ip from any to any via lo0 > 00200 12 795 deny ip from any to 127.0.0.0/8 Since rule 100 matches any lo0 packets, rule 200 actually matches packets destined to 127.0.0.1 from a _non-loopback_ interface, which isn't usually possible unless an external machine directly injects those packets onto the network. You can try changing that rule to a "deny log", then watch /var/log/security for hits. --- rc.firewall 20 Feb 2008 01:39:04 -0000 +++ rc.firewall 21 Feb 2008 21:51:44 -0000 @@ -83,8 +83,8 @@ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 - ${fwcmd} add 200 deny all from any to 127.0.0.0/8 - ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any + ${fwcmd} add 200 deny log all from any to 127.0.0.0/8 + ${fwcmd} add 300 deny log ip from 127.0.0.0/8 to any } if [ -n "${1}" ]; then -- Dan Nelson dnelson@allantgroup.com