Date: Thu, 10 Apr 2008 14:50:10 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Rob <bitabyss@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: ipfw denial log - what's this mean? Message-ID: <20080410195010.GB4704@dan.emsphone.com> In-Reply-To: <47FE5EC1.7000809@gmail.com> References: <47FE5EC1.7000809@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Apr 10), Rob said: > Hi Everyone, > > My 6.2-Release system coughed up a report of denied packets from ipfw > in its daily security run: > > ipfw denied packets: > +++ /tmp/security.gnkQg5CA Thu Apr 10 03:04:15 2008 > +00200 12 795 deny ip from any to 127.0.0.0/8 > > What does this mean? I understand that's the loopback interface, but > I'm not terribly knowledgeable on ipfw. Is this some crack attempt, > or normal background noise? I don't understand how lo0 would ever > see any IP addresses other than its own?! > > The whole rule set looks like this: > > # ipfw show > 00100 4749394 1011660210 allow ip from any to any via lo0 > 00200 12 795 deny ip from any to 127.0.0.0/8 Since rule 100 matches any lo0 packets, rule 200 actually matches packets destined to 127.0.0.1 from a _non-loopback_ interface, which isn't usually possible unless an external machine directly injects those packets onto the network. You can try changing that rule to a "deny log", then watch /var/log/security for hits. --- rc.firewall 20 Feb 2008 01:39:04 -0000 +++ rc.firewall 21 Feb 2008 21:51:44 -0000 @@ -83,8 +83,8 @@ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 - ${fwcmd} add 200 deny all from any to 127.0.0.0/8 - ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any + ${fwcmd} add 200 deny log all from any to 127.0.0.0/8 + ${fwcmd} add 300 deny log ip from 127.0.0.0/8 to any } if [ -n "${1}" ]; then -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080410195010.GB4704>