From owner-freebsd-questions@FreeBSD.ORG Mon Nov 3 02:53:00 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F19CF16A4CE for ; Mon, 3 Nov 2003 02:53:00 -0800 (PST) Received: from mintaka.emea.mci.com (mintaka.wcom.co.uk [193.131.254.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1FE643FAF for ; Mon, 3 Nov 2003 02:52:59 -0800 (PST) (envelope-from philip.payne@uk.mci.com) Received: from sirius.emea.mci.com ([166.59.189.29] helo=sirus.emea.mci.com) by mintaka.emea.mci.com with esmtp (Exim 4.20) id 1AGcKQ-0000CU-AE for freebsd-questions@freebsd.org; Mon, 03 Nov 2003 10:52:58 +0000 Received: from ocampa.wcom.co.uk ([166.59.189.250] helo=ocampa.emea.mci.com) by sirus.emea.mci.com with esmtp (Exim 4.12) id 1AGcKD-0001Sz-00; Mon, 03 Nov 2003 10:52:45 +0000 Received: from [62.191.1.65] (helo=ukcamgate1.cbg.uk.corp.eu.uu.net) by ocampa.emea.mci.com with esmtp (Exim 4.14) id 1AGcKC-0002oL-OP; Mon, 03 Nov 2003 10:52:44 +0000 Received: by ukcamgate1.cbg.uk.corp.eu.uu.net with Internet Mail Service (5.5.2653.19) id ; Mon, 3 Nov 2003 10:53:25 -0000 Message-ID: <36D04A8168B2D41182250008C7E6F87805671C63@ukcamexch2.cbg.uk.corp.eu.uu.net> From: Philip Payne To: Chris , freebsd-questions@freebsd.org Date: Mon, 3 Nov 2003 10:53:13 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-Spam-Score: 0.0 (/) X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1AGcKD-0001Sz-00*q.US3JO4rtk* Subject: RE: IPFW strange events X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2003 10:53:01 -0000 Hi Chris, The net address and subnet mask combination that is 96.0.0.0/3 covers the range 96.0.0.0 to 127.255.255.255. You are therefore blocking all traffic to the localhost address (127.0.0.0) Now, I'm a networking bloke not an MIS person but I would assume this is BAD as services/apps on your machine would want to use this address. What you need to do is have a rule ahead of this specifying: allow all from any to any via lo0 If you need a tool to help visualising firewall policy I would recommend /usr/ports/security/fwbuilder. It needs a bit of a hack to make NAT work which I've posted previously to this list. Thanks, Phil. > -----Original Message----- > From: Chris [mailto:bsdnewbie@coolarrow.com] > Sent: 01 November 2003 16:56 > To: freebsd-questions@freebsd.org > Subject: IPFW strange events > > > > Hello, > > This is occurring on a 4.8-RELEASE server using IPFW2... > > > I have numerous rules that block bogus networks... one of which is: > > ipfw add 0104 deny log ip from 96.0.0.0/3 to any > > > And I know it's working because using "ipfw list" I get: > > 00104 deny log ip from 96.0.0.0/3 to any > > > Whenever that rule is active, it's blocking packets - "ipfw show": > > 00104 21 1148 deny log ip from 96.0.0.0/3 to any > > BUT.... > > Various services stop working... so I look at > /var/log/security and see NUMEROUS entries such as this: > > Nov 1 10:30:00 server /kernel: ipfw: 104 Deny TCP > 127.0.0.1:1051 127.0.0.1:80 out via lo0 > > Now I don't see anything in the rule about the localhost > address, yet that's what it's blocking. But a little bit > ahead of that rule, I do have this one: > > ipfw add 082 divert natd all from any to any via fxp0 > > Would it help to put all the bogus network deny rules ahead > of the divert rule? > > Stumped, > Chris > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >