From owner-freebsd-security@FreeBSD.ORG Sat Feb 14 22:57:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E426F16A4CE for ; Sat, 14 Feb 2004 22:57:28 -0800 (PST) Received: from cicero1.cybercity.dk (cicero1.cybercity.dk [212.242.40.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7BDF43D2D for ; Sat, 14 Feb 2004 22:57:28 -0800 (PST) (envelope-from fj@batmule.dk) Received: from prefect.unknown.dk (dag.batmule.dk [212.242.86.227]) by cicero1.cybercity.dk (Postfix) with ESMTP id B58EF7E3DF5; Sun, 15 Feb 2004 07:57:26 +0100 (CET) Received: from prefect.unknown.dk (localhost [127.0.0.1]) by prefect.unknown.dk (8.12.6/8.12.6) with ESMTP id i1F6vPCM058280; Sun, 15 Feb 2004 07:57:26 +0100 (CET) (envelope-from fj@prefect.unknown.dk) Received: (from fj@localhost) by prefect.unknown.dk (8.12.6/8.12.6/Submit) id i1F6vOQl058279; Sun, 15 Feb 2004 07:57:24 +0100 (CET) Date: Sun, 15 Feb 2004 07:57:24 +0100 From: Flemming Jacobsen To: erschulz@comcast.net Message-ID: <20040215065724.GA72019@prefect.unknown.dk> References: <021420041552.16872.65e9@comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <021420041552.16872.65e9@comcast.net> User-Agent: Mutt/1.4i X-Operating-System: FreeBSD 4.7-STABLE i386 X-PGPkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDCC399C7 cc: freebsd-security@freebsd.org Subject: Re: Localhost traffic and ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Feb 2004 06:57:29 -0000 erschulz@comcast.net wrote: > I seem to be stumped on this one. I have TCP packets > destined to my external interface from 127.0.0.1 (Ack+Reset > zero data) with source MAC of my default gateway and I > can't seem to block this traffic. > > Snort picked up the traffic and I have confirmed with > tcpdump. So I decided I needed to examine my anti-spoof > rules. I already had this one > > deny ip from any to 127.0.0.0/8 in recv ${oif} You probably want this as your first 3 rules: allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any Some say that the TCP stack already takes care of this, but I like these rules in my set - just to be 100% sure. About the rest of your question, you probably are blocking the traffic with your rules. Bpf which tcpdump and snort uses to snoop packets, picks up packets before your ipfw rules are applied, thus you see the full packet feed. Regards Flemming PS: Please insert linebreaks so your lines are no longer than 70-75 characters. -- Flemming Jacobsen Email: fj@batmule.dk ---=== If speed kills, Windows users may live forever. ===---