Date: Mon, 3 Nov 2003 10:53:13 -0000 From: Philip Payne <philip.payne@uk.mci.com> To: Chris <bsdnewbie@coolarrow.com>, freebsd-questions@freebsd.org Subject: RE: IPFW strange events Message-ID: <36D04A8168B2D41182250008C7E6F87805671C63@ukcamexch2.cbg.uk.corp.eu.uu.net>
next in thread | raw e-mail | index | archive | help
Hi Chris, The net address and subnet mask combination that is 96.0.0.0/3 covers the range 96.0.0.0 to 127.255.255.255. You are therefore blocking all traffic to the localhost address (127.0.0.0) Now, I'm a networking bloke not an MIS person but I would assume this is BAD as services/apps on your machine would want to use this address. What you need to do is have a rule ahead of this specifying: allow all from any to any via lo0 If you need a tool to help visualising firewall policy I would recommend /usr/ports/security/fwbuilder. It needs a bit of a hack to make NAT work which I've posted previously to this list. Thanks, Phil. > -----Original Message----- > From: Chris [mailto:bsdnewbie@coolarrow.com] > Sent: 01 November 2003 16:56 > To: freebsd-questions@freebsd.org > Subject: IPFW strange events > > > > Hello, > > This is occurring on a 4.8-RELEASE server using IPFW2... > > > I have numerous rules that block bogus networks... one of which is: > > ipfw add 0104 deny log ip from 96.0.0.0/3 to any > > > And I know it's working because using "ipfw list" I get: > > 00104 deny log ip from 96.0.0.0/3 to any > > > Whenever that rule is active, it's blocking packets - "ipfw show": > > 00104 21 1148 deny log ip from 96.0.0.0/3 to any > > BUT.... > > Various services stop working... so I look at > /var/log/security and see NUMEROUS entries such as this: > > Nov 1 10:30:00 server /kernel: ipfw: 104 Deny TCP > 127.0.0.1:1051 127.0.0.1:80 out via lo0 > > Now I don't see anything in the rule about the localhost > address, yet that's what it's blocking. But a little bit > ahead of that rule, I do have this one: > > ipfw add 082 divert natd all from any to any via fxp0 > > Would it help to put all the bogus network deny rules ahead > of the divert rule? > > Stumped, > Chris > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36D04A8168B2D41182250008C7E6F87805671C63>