Hi Chris, The net address and subnet mask combination that is 96.0.0.0/3 covers the range 96.0.0.0 to 127.255.255.255.
You are therefore blocking all traffic to the localhost address (127.0.0.0) Now, I'm a networking bloke not an MIS person but I would assume this is BAD as services/apps on your machine would want to use this address. What you need to do is have a rule ahead of this specifying: allow all from any to any via lo0 If you need a tool to help visualising firewall policy I would recommend /usr/ports/security/fwbuilder. It needs a bit of a hack to make NAT work which I've posted previously to this list. Thanks, Phil. > -----Original Message----- > From: Chris [mailto:[EMAIL PROTECTED] > Sent: 01 November 2003 16:56 > To: [EMAIL PROTECTED] > Subject: IPFW strange events > > > > Hello, > > This is occurring on a 4.8-RELEASE server using IPFW2... > > > I have numerous rules that block bogus networks... one of which is: > > ipfw add 0104 deny log ip from 96.0.0.0/3 to any > > > And I know it's working because using "ipfw list" I get: > > 00104 deny log ip from 96.0.0.0/3 to any > > > Whenever that rule is active, it's blocking packets - "ipfw show": > > 00104 21 1148 deny log ip from 96.0.0.0/3 to any > > BUT.... > > Various services stop working... so I look at > /var/log/security and see NUMEROUS entries such as this: > > Nov 1 10:30:00 server /kernel: ipfw: 104 Deny TCP > 127.0.0.1:1051 127.0.0.1:80 out via lo0 > > Now I don't see anything in the rule about the localhost > address, yet that's what it's blocking. But a little bit > ahead of that rule, I do have this one: > > ipfw add 082 divert natd all from any to any via fxp0 > > Would it help to put all the bogus network deny rules ahead > of the divert rule? > > Stumped, > Chris > > > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
