From owner-freebsd-net@FreeBSD.ORG Wed Feb 25 05:45:22 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD84B16A4D3 for ; Wed, 25 Feb 2004 05:45:22 -0800 (PST) Received: from mail.butovo-online.ru (mail.b-o.ru [212.5.78.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41D8B43D55 for ; Wed, 25 Feb 2004 05:45:18 -0800 (PST) (envelope-from resident@b-o.ru) Received: from [192.168.92.185] (helo=192.168.92.185) by mail.butovo-online.ru with esmtp (Exim 4.24) id 1AvzVS-000B26-Ql; Wed, 25 Feb 2004 16:55:22 +0300 Date: Wed, 25 Feb 2004 16:47:03 +0300 From: Andrew Riabtsev X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <10324604148.20040225164703@b-o.ru> To: Iasen Kostov In-Reply-To: <403C9705.3060108@OTEL.net> References: <200402242315.i1ONFbmZ028103@soth.ventu> <403C9705.3060108@OTEL.net> MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: 8bit cc: freebsd-net@freebsd.org Subject: Re[2]: Bad loopback traffic not stopped by ipfw. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Andrew Riabtsev List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2004 13:45:22 -0000 Привет Iasen, Wednesday, February 25, 2004, 3:37:25 PM, you wrote: IK> netstat -s -p ip IK> . IK> . IK> . IK> 3575124 datagrams with bad address in header IK> Could it be this that drops "bad" packets before they enter the IPFW ? To me it would be also interesting to know where this traffic comes from. I have same on my local net: # tcpdump -neifxp0 src or dst 127.0.0.1 tcpdump: listening on fxp0 16:26:23.280737 0:50:fc:ed:d4:4 0:02:55:b0:90:e4 0800 60: 127.0.0.1.80 > 192.168.141.148.1928: R 0:0(0) ack 1986723841 win 0 16:26:23.285831 0:d:61:e:3f:c3 0:02:55:b0:90:e4 0800 60: 127.0.0.1.80 > 192.168.213.167.1571: R 0:0(0) ack 812253185 win 0 16:26:23.287642 0:1:2:9c:cf:e2 0:02:55:b0:90:e4 0800 60: 127.0.0.1.80 > 192.168.118.205.1046: R 0:0(0) ack 1959723009 win 0 16:26:23.297289 0:4:79:68:14:9c 0:02:55:b0:90:e4 0800 60: 127.0.0.1.80 > 192.168.214.208.1997: R 0:0(0) ack 1905917953 win 0 16:26:23.297555 0:c0:df:13:87:c4 0:02:55:b0:90:e4 0800 60: 127.0.0.1.80 > 192.168.53.212.1836: R 0:0(0) ack 1137442817 win 0 dst mac-address is mac of fxp0 and src addresses is macs from local net not just nonexistent macs. It could be some kind of attack or it is flood from broken device in local net or maybe something else, i'll try to find it out. Let me know if You find out something new. Andrew mailto:resident@b-o.ru