[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Lots of traffic on internal interface



On Tue, Nov 22, 2005 at 11:51:50PM -0500, [email protected] wrote:
> While running pftop, or pfctl -vvs state, I see a lot of traffic from
> the firewall machine to itself over the internal LAN interface port. I am
> not sure what service would route something out a local interface to
> itself; it feels more like a misconfiguration. Thoughts ?
Do you have any route-to or reply-to lo0 rules? Otherwise it's odd that
you'd see connections on the loopback interface with addresses other
than 127.0.0.1.
You can list what processes use which tcp ports with
  # fstat | grep tcp
and look for either port 3493 or 33733, at least one of the endpoints
should be a local process.
Or sniff some of the traffic with
  # tcpdump -s 1600 -nvvvXi lo0
maybe the packet payload gives a clue to what those connections are.
Once you know that the connections are legitimate, you can tell pf to
skip processing packets on lo0, with a line like this in pf.conf
  set skip on lo0
Daniel