Date: Sun, 14 May 2000 22:52:36 -0400 (EDT) From: "Mark W. Krentel" <krentel@dreamscape.com> To: freebsd-ipfw@freebsd.org Subject: rc.firewall rule 200 Message-ID: <200005150252.WAA07148@dreamscape.com>
next in thread | raw e-mail | index | archive | help
The rc.firewall script adds these rules:
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
The second rule blocks packets destined for network 127. But doesn't
it make more sense to block packets *from* 127.0.0.0/8, that is,
packets trying to spoof localhost? I'm wondering if the rule should
actually be:
${fwcmd} add 200 deny all from 127.0.0.0/8 to any
Also, how does rule 200 (original version) ever get invoked? The
packet is not going over loopback because of rule 100. So, why would
a machine forward a packet destined for network 127?
--Mark
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005150252.WAA07148>