Date: Sun, 2 Nov 2003 12:04:24 +1030 From: "Rob" <listone@deathbeforedecaf.net> To: "Chris" <bsdnewbie@coolarrow.com>, <freebsd-questions@freebsd.org> Subject: Re: IPFW strange events Message-ID: <012d01c3a0e1$73216500$a4b826cb@goo> References: <200311011055320938.07E914B9@tcslea.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Not a direct answer, but you should generally put
add allow all from any to any via lo0
near the start of a rules list. Some things may break if you block
loopback conections.
----- Original Message -----
From: "Chris" <bsdnewbie@coolarrow.com>
Subject: IPFW strange events
Hello,
This is occurring on a 4.8-RELEASE server using IPFW2...
I have numerous rules that block bogus networks... one of which is:
ipfw add 0104 deny log ip from 96.0.0.0/3 to any
And I know it's working because using "ipfw list" I get:
00104 deny log ip from 96.0.0.0/3 to any
Whenever that rule is active, it's blocking packets - "ipfw show":
00104 21 1148 deny log ip from 96.0.0.0/3 to any
BUT....
Various services stop working... so I look at /var/log/security and see
NUMEROUS entries such as this:
Nov 1 10:30:00 server /kernel: ipfw: 104 Deny TCP 127.0.0.1:1051
127.0.0.1:80 out via lo0
Now I don't see anything in the rule about the localhost address, yet
that's what it's blocking. But a little bit ahead of that rule, I do
have this one:
ipfw add 082 divert natd all from any to any via fxp0
Would it help to put all the bogus network deny rules ahead of the
divert rule?
Stumped,
Chris
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?012d01c3a0e1$73216500$a4b826cb>