ipfw denial log - what's this mean?
Dan Nelson
dnelson at allantgroup.com
Thu Apr 10 19:50:11 UTC 2008
In the last episode (Apr 10), Rob said:
> Hi Everyone,
>
> My 6.2-Release system coughed up a report of denied packets from ipfw
> in its daily security run:
>
> ipfw denied packets:
> +++ /tmp/security.gnkQg5CA Thu Apr 10 03:04:15 2008
> +00200 12 795 deny ip from any to 127.0.0.0/8
>
> What does this mean? I understand that's the loopback interface, but
> I'm not terribly knowledgeable on ipfw. Is this some crack attempt,
> or normal background noise? I don't understand how lo0 would ever
> see any IP addresses other than its own?!
>
> The whole rule set looks like this:
>
> # ipfw show
> 00100 4749394 1011660210 allow ip from any to any via lo0
> 00200 12 795 deny ip from any to 127.0.0.0/8
Since rule 100 matches any lo0 packets, rule 200 actually matches
packets destined to 127.0.0.1 from a _non-loopback_ interface, which
isn't usually possible unless an external machine directly injects
those packets onto the network. You can try changing that rule to a
"deny log", then watch /var/log/security for hits.
--- rc.firewall 20 Feb 2008 01:39:04 -0000
+++ rc.firewall 21 Feb 2008 21:51:44 -0000
@@ -83,8 +83,8 @@
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
- ${fwcmd} add 200 deny all from any to 127.0.0.0/8
- ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
+ ${fwcmd} add 200 deny log all from any to 127.0.0.0/8
+ ${fwcmd} add 300 deny log ip from 127.0.0.0/8 to any
}
if [ -n "${1}" ]; then
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-questions
mailing list