From owner-freebsd-stable@FreeBSD.ORG Mon Sep 22 10:29:47 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFDA616A4B3 for ; Mon, 22 Sep 2003 10:29:47 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-169-107-253.dsl.lsan03.pacbell.net [64.169.107.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id E74FF43FE0 for ; Mon, 22 Sep 2003 10:29:46 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id A60BC66D6A; Mon, 22 Sep 2003 10:29:46 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 8861BA71; Mon, 22 Sep 2003 10:29:46 -0700 (PDT) Date: Mon, 22 Sep 2003 10:29:46 -0700 From: Kris Kennaway To: Pertti Kosunen Message-ID: <20030922172946.GB47243@rot13.obsecurity.org> References: <030501c37f99$4beb9500$0b00000a@arenanet.fi> <20030920210527.GB38264@rot13.obsecurity.org> <00b801c380f5$aaef7af0$0b00000a@arenanet.fi> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="U+BazGySraz5kW0T" Content-Disposition: inline In-Reply-To: <00b801c380f5$aaef7af0$0b00000a@arenanet.fi> User-Agent: Mutt/1.4.1i cc: freebsd-stable@freebsd.org cc: Kris Kennaway Subject: Re: [snort] BAD-TRAFFIC loopback traffic 4.9-PRE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2003 17:29:48 -0000 --U+BazGySraz5kW0T Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 22, 2003 at 01:38:30PM +0300, Pertti Kosunen wrote: > >> What could cause this loopback traffic? > > > > Forged source address on a network with no egress filtering. > > > > Kris >=20 > Ok i put the ipfw on with the default simple mode. > ipfw -a l > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > ... >=20 > Still get this: > tcpdump: listening on xl0 > 12:51:15.736517 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > > out.ip.1165: R 0:0(0) ack 1416364033 win 0 > 12:51:19.092168 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > > out.ip.1284: R 0:0(0) ack 72679425 win 0 > 12:52:32.717702 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > > out.ip.1667: R 0:0(0) ack 1243086849 win 0 >=20 > 0:90:1a:40:1f:db Is default gateways (ISP) mac address, xl0 0:50:da:ca:61= :e9 > is my outside net card. >=20 > Is this normal traffic and what i should check next? Yes, and ipfw should be denying the packets. Is it not doing so? Note that you'll still see them on the wire from the external network, because ipfw can't make the packets disappear en route into the machine, it can only deny them once they get there. Kris --U+BazGySraz5kW0T Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/bzGKWry0BWjoQKURAj3cAKCD8A6ow2fvGY0D1hYtEItXrQIqNwCcD+lg WeLLbaMwCBodsbkyVpMEtpw= =VGpR -----END PGP SIGNATURE----- --U+BazGySraz5kW0T--