Date: Sat, 14 Feb 2004 15:52:59 +0000 From: erschulz@comcast.net To: freebsd-security@freebsd.org Subject: Localhost traffic and ipfw rules Message-ID: <021420041552.16872.65e9@comcast.net>
next in thread | raw e-mail | index | archive | help
I seem to be stumped on this one. I have TCP packets destined to my external interface from 127.0.0.1 (Ack+Reset zero data) with source MAC of my default gateway and I can't seem to block this traffic.
Snort picked up the traffic and I have confirmed with tcpdump. So I decided I needed to examine my anti-spoof rules. I already had this one
deny ip from any to 127.0.0.0/8 in recv ${oif}
This never triggered on this traffic so I figured it must be looking for a SYN before it would trigger. So I added the following:
deny tcp from 127.0.0.1 to ${oif} tcpflags ack,rst
This still didn't block the traffic. So, I added the following:
deny ip from 127.0.0.0/8 to ${oif}
And the packets are still not triggering any of these rules and I've moved them up to the top of the list just to be sure I hadn't made an order of precedence error.
So, I'm open to ideas now. It is definitely coming in on my external interface, and its src MAC is definitely the MAC of my ISP's router. So, have I missed something? How do I drop these packets?
Thx.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?021420041552.16872.65e9>