From owner-freebsd-security@FreeBSD.ORG Sat Feb 14 07:53:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB74E16A4CE for ; Sat, 14 Feb 2004 07:53:00 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id D544B43D1F for ; Sat, 14 Feb 2004 07:53:00 -0800 (PST) (envelope-from erschulz@comcast.net) Received: from 204.127.197.111 ([204.127.197.111]) by comcast.net (rwcrmhc11) with SMTP id <20040214155300013007n082e>; Sat, 14 Feb 2004 15:53:00 +0000 Received: from [24.0.202.208] by 204.127.197.111; Sat, 14 Feb 2004 15:52:59 +0000 From: erschulz@comcast.net To: freebsd-security@freebsd.org Date: Sat, 14 Feb 2004 15:52:59 +0000 Message-Id: <021420041552.16872.65e9@comcast.net> X-Mailer: AT&T Message Center Version 1 (Oct 27 2003) X-Authenticated-Sender: ZXJzY2h1bHpAY29tY2FzdC5uZXQ= Subject: Localhost traffic and ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2004 15:53:01 -0000 I seem to be stumped on this one. I have TCP packets destined to my external interface from 127.0.0.1 (Ack+Reset zero data) with source MAC of my default gateway and I can't seem to block this traffic. Snort picked up the traffic and I have confirmed with tcpdump. So I decided I needed to examine my anti-spoof rules. I already had this one deny ip from any to 127.0.0.0/8 in recv ${oif} This never triggered on this traffic so I figured it must be looking for a SYN before it would trigger. So I added the following: deny tcp from 127.0.0.1 to ${oif} tcpflags ack,rst This still didn't block the traffic. So, I added the following: deny ip from 127.0.0.0/8 to ${oif} And the packets are still not triggering any of these rules and I've moved them up to the top of the list just to be sure I hadn't made an order of precedence error. So, I'm open to ideas now. It is definitely coming in on my external interface, and its src MAC is definitely the MAC of my ISP's router. So, have I missed something? How do I drop these packets? Thx.