From owner-freebsd-questions@FreeBSD.ORG Sat Nov 1 17:34:31 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 178C516A4CE for ; Sat, 1 Nov 2003 17:34:31 -0800 (PST) Received: from zim.0x7e.net (zim.0x7e.net [203.38.184.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2969B43F93 for ; Sat, 1 Nov 2003 17:34:30 -0800 (PST) (envelope-from listone@deathbeforedecaf.net) Received: from goo.0x7e.net ([203.38.184.164] helo=goo) by zim.0x7e.net with smtp (Exim 3.36 #1) id 1AG78L-000AQX-00; Sun, 02 Nov 2003 12:04:25 +1030 Message-ID: <012d01c3a0e1$73216500$a4b826cb@goo> From: "Rob" To: "Chris" , References: <200311011055320938.07E914B9@tcslea.org> Date: Sun, 2 Nov 2003 12:04:24 +1030 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4927.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200 Subject: Re: IPFW strange events X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Nov 2003 01:34:31 -0000 Not a direct answer, but you should generally put add allow all from any to any via lo0 near the start of a rules list. Some things may break if you block loopback conections. ----- Original Message ----- From: "Chris" Subject: IPFW strange events Hello, This is occurring on a 4.8-RELEASE server using IPFW2... I have numerous rules that block bogus networks... one of which is: ipfw add 0104 deny log ip from 96.0.0.0/3 to any And I know it's working because using "ipfw list" I get: 00104 deny log ip from 96.0.0.0/3 to any Whenever that rule is active, it's blocking packets - "ipfw show": 00104 21 1148 deny log ip from 96.0.0.0/3 to any BUT.... Various services stop working... so I look at /var/log/security and see NUMEROUS entries such as this: Nov 1 10:30:00 server /kernel: ipfw: 104 Deny TCP 127.0.0.1:1051 127.0.0.1:80 out via lo0 Now I don't see anything in the rule about the localhost address, yet that's what it's blocking. But a little bit ahead of that rule, I do have this one: ipfw add 082 divert natd all from any to any via fxp0 Would it help to put all the bogus network deny rules ahead of the divert rule? Stumped, Chris _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"