I seem to be stumped on this one. I have TCP packets destined to my external
interface from 127.0.0.1 (Ack+Reset zero data) with source MAC of my default
gateway and I can't seem to block this traffic.
Snort picked up the traffic and I have confirmed with tcpdump. So I decided
I needed to examine my anti-spoof rules. I already had this one
deny ip from any to 127.0.0.0/8 in recv ${oif}
This never triggered on this traffic so I figured it must be looking for a
SYN before it would trigger. So I added the following:
deny tcp from 127.0.0.1 to ${oif} tcpflags ack,rst
This still didn't block the traffic. So, I added the following:
deny ip from 127.0.0.0/8 to ${oif}
And the packets are still not triggering any of these rules and I've
moved them up to the top of the list just to be sure I hadn't made an order
of precedence error.
So, I'm open to ideas now. It is definitely coming in on my external
interface, and its src MAC is definitely the MAC of my ISP's router. So,
have I missed something? How do I drop these packets?
Thx.
erschulz@comcast.net wrote:> I seem to be stumped on this one. I have TCP packets > destined to my external interface from 127.0.0.1 (Ack+Reset > zero data) with source MAC of my default gateway and I > can't seem to block this traffic. > > Snort picked up the traffic and I have confirmed with > tcpdump. So I decided I needed to examine my anti-spoof > rules. I already had this one > > deny ip from any to 127.0.0.0/8 in recv ${oif}You probably want this as your first 3 rules: allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any Some say that the TCP stack already takes care of this, but I like these rules in my set - just to be 100% sure. About the rest of your question, you probably are blocking the traffic with your rules. Bpf which tcpdump and snort uses to snoop packets, picks up packets before your ipfw rules are applied, thus you see the full packet feed. Regards Flemming PS: Please insert linebreaks so your lines are no longer than 70-75 characters. -- Flemming Jacobsen Email: fj@batmule.dk ---=== If speed kills, Windows users may live forever. ===---
On Sun, 15 Feb 2004, Flemming Jacobsen wrote:
> You probably want this as your first 3 rules:
> allow ip from any to any via lo0
> deny ip from any to 127.0.0.0/8
> deny ip from 127.0.0.0/8 to any
>
> Some say that the TCP stack already takes care of this, but I
> like these rules in my set - just to be 100% sure.
>
Sorry about the long lines. I hope this is one better.
Well, let me see if I can clarify what I am seeing. My rules are
similar but, the counters are not incrementing. That's
when I started adding the other rules just to see if the counters
would increment. The second rule below is a dead-on match for
the packets I captured with tcpdump. Still, the counters do
not increment.
0 0 deny ip from any to 127.0.0.0/8 in recv dc0
0 0 deny tcp from 127.0.0.1 to x.x.x.x tcpflags ack,rst
0 0 deny ip from 127.0.0.0/8 to x.x.x.x
As you can see, none of these have incremented. And, this has
been the case every time even though snort identified the traffic
and I captured it with tcpdump. The counters were still zeros.
The traffic is not present on lo0 or my internal interface. It
is only present on my external interface.
I'm not so much concerned about the traffic as I am with
the failure of the counters to increment.
Thx,
Richard