From owner-freebsd-net@FreeBSD.ORG Tue Feb 24 15:15:39 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 910B716A4CE for ; Tue, 24 Feb 2004 15:15:39 -0800 (PST) Received: from smtp2.libero.it (smtp2.libero.it [193.70.192.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id F39B643D31 for ; Tue, 24 Feb 2004 15:15:38 -0800 (PST) (envelope-from ml.ventu@flashnet.it) Received: from soth.ventu (151.37.23.42) by smtp2.libero.it (7.0.020-DD01) id 401CAD6A00A1F817 for freebsd-net@freebsd.org; Wed, 25 Feb 2004 00:16:20 +0100 Received: from mailer (xanatar.ventu [10.1.2.6]) by soth.ventu (8.12.6p3/8.12.6) with SMTP id i1ONFbmZ028103 for ; Wed, 25 Feb 2004 00:15:37 +0100 (CET) (envelope-from ml.ventu@flashnet.it) Message-Id: <200402242315.i1ONFbmZ028103@soth.ventu> To: freebsd-net@freebsd.org Priority: Normal X-Mailer: Post Road Mailer for OS/2 (Green Edition Ver 3.0) Date: Wed, 25 Feb 2004 00:15:37 EST From: Andrea Venturoli Subject: Re: Bad loopback traffic not stopped by ipfw. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Andrea Venturoli List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2004 23:15:39 -0000 ** Reply to note from Ian Smith Wed, 25 Feb 2004 06:41:08 +1100 (EST) > ... still dribbling in I see. Yawn. But they're being denied ok here. But it is not so here! And also someone else reported the same problem... > Try just 'deny log ip from 127.0.0.0/8 to any' (and as mentioned, 'deny > log ip from any to 127.0.0.1/8' outbound also. Works here. As I said in another reply I tried this too: ipfw -a l gives: 00030 2 416 allow ip from any to any via lo0 00031 0 0 deny log ip from any to 127.0.0.0/8 00032 0 0 deny log ip from 127.0.0.0/8 to any .. But the counts are still 0, no log is displayed and tcpdumps keeps showing packets coming in. > Not sure if the diversion for NAT above might affect whether they're > appearing to ipfw as still being 'in recv tun0' or not at rule(s) 1000, > but you'd want to block these on any interface, in or out, wouldn't you? As I previously said, I tried it also without diversion to natd. > > snort and tcpdump correctly report them, but I think I should also > > see ipfw blocking them. At least this is what I read, googling > > around, on a previous thread on freebsd-stable. > > You should indeed, but maybe some other rule between 50 and 1000 is > either blocking or allowing them? Anyway, try the more general rule? See above. > (Caveat: the above are on a 2.2.6 router/gw that's still chugging along; > I assume it's more likely a config prob than an issue with 4.8 ipfw(n)) I *hope* it is a config problem, but I can assure it is not a trivial one, at least for me. Not an ipfw rules related one, at least. Either there is some setup I am not aware of or something is not working properly. bye & Thanks av.