In the last episode (Apr 10), Rob said:
> Hi Everyone,
> 
> My 6.2-Release system coughed up a report of denied packets from ipfw
> in its daily security run:
> 
> ipfw denied packets:
> +++ /tmp/security.gnkQg5CA    Thu Apr 10 03:04:15 2008
> +00200        12         795 deny ip from any to 127.0.0.0/8
> 
> What does this mean?  I understand that's the loopback interface, but
> I'm not terribly knowledgeable on ipfw.  Is this some crack attempt,
> or normal background noise?  I don't understand how lo0 would ever
> see any IP addresses other than its own?!
> 
> The whole rule set looks like this:
> 
> # ipfw show
> 00100   4749394  1011660210 allow ip from any to any via lo0
> 00200        12         795 deny ip from any to 127.0.0.0/8

Since rule 100 matches any lo0 packets, rule 200 actually matches
packets destined to 127.0.0.1 from a _non-loopback_ interface, which
isn't usually possible unless an external machine directly injects
those packets onto the network.  You can try changing that rule to a
"deny log", then watch /var/log/security for hits.

--- rc.firewall 20 Feb 2008 01:39:04 -0000
+++ rc.firewall 21 Feb 2008 21:51:44 -0000
@@ -83,8 +83,8 @@
        # Only in rare cases do you want to change these rules
        #
        ${fwcmd} add 100 pass all from any to any via lo0
-       ${fwcmd} add 200 deny all from any to 127.0.0.0/8
-       ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
+       ${fwcmd} add 200 deny log all from any to 127.0.0.0/8
+       ${fwcmd} add 300 deny log ip from 127.0.0.0/8 to any
 }
 
 if [ -n "${1}" ]; then


-- 
        Dan Nelson
        [EMAIL PROTECTED]
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to