Firewalls: connections from localhost 127.0.0.1

Firewalls
(December 1995)

Indexed By Thread: [Previous] [Next]

Subject:	connections from localhost 127.0.0.1
From:	"Greg Hume" <ghume @ cybergraphic . com . au>
Date:	Wed, 13 Dec 95 10:30:30 eet
To:	firewalls @ greatcircle . com

     Hi all,
     
     This one has stumped me!
     
     Checked my logs this morning and found a connection to FTPD from local 
     host 127.0.0.1. This was allowed vi netperm-table (FWTK).
     
     Further checks reviled no interactive login at that time on the host.
     
     I have not found any other records in the logs about other process's 
     other than HTTPD at the same time.
     
     Could this indicate...
     
     A. Some how an ftp/gopher via HTTP came back at its self?
        Could it have originated local host after all?
     
     B. Packets with destination address of <firewall> source address of    
        <127.0.0.1> and return route to <some where on net> were received.
     
     I have updated netperm-table to disallow 127.0.0.1. This by its self 
     would make recording scenario <B> attacks harder to identify.
     
     I have added filter rules to internet choke router to drop incoming 
     packets with source address of <firewall> and <127.0.0.1>. I think 
     this will remove threat of scenario <B> but are still left wondering 
     where the ftp from local host actually came from.
     
     Any thoughts comments welcome.

Follow-Ups:

Re: connections from localhost 127.0.0.1
From: newton @ communica . com . au (Mark Newton)

Indexed By Date	Previous:	Re: Pre-forking Proxies? From: "Daniel O'Callaghan" <danny @ miricle . its . unimelb . edu . au>
Indexed By Date	Next:	RE: Timing Attacks From: "Frank O'Dwyer" <fod @ brd . ie>
Indexed By Thread	Previous:	HP Open Enterprise/Five Paces From: clp2 @ ix . netcom . com (Carol pollard )
Indexed By Thread	Next:	Re: connections from localhost 127.0.0.1 From: newton @ communica . com . au (Mark Newton)