erschulzcomcast.net
Date: Sat Feb 14 2004 - 09:52:59 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I seem to be stumped on this one. I have TCP packets destined to my external interface from 127.0.0.1 (Ack+Reset zero data) with source MAC of my default gateway and I can't seem to block this traffic.

    Snort picked up the traffic and I have confirmed with tcpdump. So I decided I needed to examine my anti-spoof rules. I already had this one

    deny ip from any to 127.0.0.0/8 in recv ${oif}

   This never triggered on this traffic so I figured it must be looking for a SYN before it would trigger. So I added the following:

    deny tcp from 127.0.0.1 to ${oif} tcpflags ack,rst

   This still didn't block the traffic. So, I added the following:

    deny ip from 127.0.0.0/8 to ${oif}

   And the packets are still not triggering any of these rules and I've moved them up to the top of the list just to be sure I hadn't made an order of precedence error.

   So, I'm open to ideas now. It is definitely coming in on my external interface, and its src MAC is definitely the MAC of my ISP's router. So, have I missed something? How do I drop these packets?

Thx.
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]