Re: Localhost traffic and ipfw rules

• Previous message: erschulz_at_comcast.net: "Localhost traffic and ipfw rules"
• In reply to: erschulz_at_comcast.net: "Localhost traffic and ipfw rules"
• Next in thread: erschulz_at_comcast.net: "Re: Localhost traffic and ipfw rules"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 15 Feb 2004 07:57:24 +0100
To: erschulz@comcast.net

erschulz@comcast.net wrote:
> I seem to be stumped on this one. I have TCP packets
> destined to my external interface from 127.0.0.1 (Ack+Reset
> zero data) with source MAC of my default gateway and I
> can't seem to block this traffic.
>
> Snort picked up the traffic and I have confirmed with
> tcpdump. So I decided I needed to examine my anti-spoof
> rules. I already had this one
>
> deny ip from any to 127.0.0.0/8 in recv ${oif}

You probably want this as your first 3 rules:
  allow ip from any to any via lo0
  deny ip from any to 127.0.0.0/8
  deny ip from 127.0.0.0/8 to any

Some say that the TCP stack already takes care of this, but I
like these rules in my set - just to be 100% sure.

About the rest of your question, you probably are blocking the
traffic with your rules.
Bpf which tcpdump and snort uses to snoop packets, picks up
packets before your ipfw rules are applied, thus you see the full
packet feed.

        Regards
        Flemming

PS: Please insert linebreaks so your lines are no longer than
    70-75 characters.

-- 
Flemming Jacobsen                                  Email: fj@batmule.dk
   ---===   If speed kills, Windows users may live forever.   ===---
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: erschulz_at_comcast.net: "Localhost traffic and ipfw rules"
• In reply to: erschulz_at_comcast.net: "Localhost traffic and ipfw rules"
• Next in thread: erschulz_at_comcast.net: "Re: Localhost traffic and ipfw rules"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] Best way to drop forged TCP packets with RST flag set from comcast traffic shaping ... If Comcast is sending out RST packets, they are sending them out to both the source and destination. ... I would like to use IP tables to start blocking these forged TCP packets as they hit the external interface of a Linux firewall. ... Could TTL match support be used in combination with rate match support to detect if more than X TCP packets with RST flag set and with a TTL value of 30 arrived in a given time frame? ... (Firewall-Wizards) Re: Real time streaming ... Its actually an ASF stream which is a kind of http pseudo header and ... In my question I meant the tcp packets. ... Http content, http header, tcp layer or ip layer? ... (microsoft.public.win32.programmer.networks) Re: How to drop? ... >> In the TCP packets, can we drop packets that have a number in the mail ... > At the TCP level there is no such thing as mail accounts. ... filters to deal with the tagged mail. ... (comp.os.linux.security) Re: traceroute-like tool for UDP or TCP packets ... tcptraceroute is a traceroute implementation using TCP packets. ... The more traditional traceroutesends out either UDP or ICMP ECHO ... TCP packets to specific ports that hosts sitting behind the firewall are ... (Security-Basics) Re: /kernel: ipfw: pullup failed ... TCP packets are dropped if they do not contain at ... least 20 bytes of TCP header, UDP packets are dropped if they do not ... they do not contain 4 bytes of ICMP header, ... (freebsd-stable)