From owner-freebsd-net@FreeBSD.ORG  Tue Feb 24 08:11:25 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 59F1A16A4CE
	for <freebsd-net@freebsd.org>; Tue, 24 Feb 2004 08:11:25 -0800 (PST)
Received: from smtp3.libero.it (smtp3.libero.it [193.70.192.127])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E927A43D2D
	for <freebsd-net@freebsd.org>; Tue, 24 Feb 2004 08:11:24 -0800 (PST)
	(envelope-from ml.ventu@flashnet.it)
Received: from soth.ventu (151.37.23.42) by smtp3.libero.it (7.0.020-DD01)
	id 401D5C59009B2593 for freebsd-net@freebsd.org;
	Tue, 24 Feb 2004 17:11:23 +0100
Received: from mailer (xanatar.ventu [10.1.2.6])
	by soth.ventu (8.12.6p3/8.12.6) with SMTP id i1OGBMmY026274
	for <freebsd-net@freebsd.org>; Tue, 24 Feb 2004 17:11:22 +0100 (CET)
	(envelope-from ml.ventu@flashnet.it)
Message-Id: <200402241611.i1OGBMmY026274@soth.ventu>
To: freebsd-net@freebsd.org
Priority: Normal
X-Mailer: Post Road Mailer for OS/2 (Green Edition Ver 3.0)
Date: Tue, 24 Feb 2004 17:11:22 EST
From: Andrea Venturoli <ml.ventu@flashnet.it>
Subject: Bad loopback traffic not stopped by ipfw.
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Andrea Venturoli <ml@netfence.it>
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2004 16:11:25 -0000

Hello.

4.8-RELEASE-p15:

In /var/log/all.log I get a lot of:

snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP}
127.0.0.1:80 -> xx.xx.xx.xx:1055

(src port is always 80, dst port changes, xx.xx.xx.xx is my tun0 IP.)



ifconfig -a gives:

sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.100.55 netmask 0xffffff00 broadcast 192.168.100.255
        ether 00:10:5c:db:ee:c3
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.106.1 netmask 0xffffff00 broadcast 192.168.106.255
        ether 00:50:fc:ac:b1:db
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1492
        inet xx.xx.xx.xx --> 192.168.100.1 netmask 0xffffffff
        Opened by PID 58




tcpdumping all interfaces one by one shows the packet only on tun0:

tcpdump -i tun0 -l src or dst 127.0.0.1

17:03:17.069193 127.0.0.1.http > 82.48.28.67.us-gv: R 0:0(0) ack 1889337345 win 0
17:03:18.034467 127.0.0.1.http > 82.48.28.67.tcp-id-port: R 0:0(0) ack 142009958 5 win 0
..



ipfw -a l (relevant parts):

00050 1152 388408 divert 8668 ip from any to any via tun0
..
01000    6   1248 allow ip from any to any via lo0 (this is really local ntp traffic)
..
01000    0      0 deny log ip from 127.0.0.0/8 to any in recv tun0



IMHO opinion wrong packets are arriving from the upstream router (for which it would be useless to ask for a fix),
snort and tcpdump correctly report them, but I think I should also see ipfw blocking them. At least this is what I read,
googling around, on a previous thread on freebsd-stable.

I also tried removing rule 50, just in case natd could have a role in this, but the behaviour did not change.



What's wrong?


 bye & Thanks
        av.