Bad loopback traffic not stopped by ipfw.

Andrea Venturoli ml.ventu at flashnet.it
Tue Feb 24 08:11:25 PST 2004 

Hello.

4.8-RELEASE-p15:

In /var/log/all.log I get a lot of:

snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP}
127.0.0.1:80 -> xx.xx.xx.xx:1055

(src port is always 80, dst port changes, xx.xx.xx.xx is my tun0 IP.)



ifconfig -a gives:

sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.100.55 netmask 0xffffff00 broadcast 192.168.100.255
        ether 00:10:5c:db:ee:c3
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.106.1 netmask 0xffffff00 broadcast 192.168.106.255
        ether 00:50:fc:ac:b1:db
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1492
        inet xx.xx.xx.xx --> 192.168.100.1 netmask 0xffffffff
        Opened by PID 58




tcpdumping all interfaces one by one shows the packet only on tun0:

tcpdump -i tun0 -l src or dst 127.0.0.1

17:03:17.069193 127.0.0.1.http > 82.48.28.67.us-gv: R 0:0(0) ack 1889337345 win 0
17:03:18.034467 127.0.0.1.http > 82.48.28.67.tcp-id-port: R 0:0(0) ack 142009958 5 win 0
..



ipfw -a l (relevant parts):

00050 1152 388408 divert 8668 ip from any to any via tun0
..
01000    6   1248 allow ip from any to any via lo0 (this is really local ntp traffic)
..
01000    0      0 deny log ip from 127.0.0.0/8 to any in recv tun0



IMHO opinion wrong packets are arriving from the upstream router (for which it would be useless to ask for a fix),
snort and tcpdump correctly report them, but I think I should also see ipfw blocking them. At least this is what I read,
googling around, on a previous thread on freebsd-stable.

I also tried removing rule 50, just in case natd could have a role in this, but the behaviour did not change.



What's wrong?


 bye & Thanks
        av.

More information about the freebsd-net mailing list