From owner-freebsd-questions Wed Apr 28 21:54:44 1999 Delivered-To: freebsd-questions@freebsd.org Received: from WEBBSD1.turnaround.com.au (webbsd1.turnaround.com.au [203.39.138.49]) by hub.freebsd.org (Postfix) with ESMTP id 8AD9E14E09 for ; Wed, 28 Apr 1999 21:54:40 -0700 (PDT) (envelope-from A_Johns@TurnAround.com.au) Received: from TurnAround.com.au (dhcp64.turnaround.com.au [192.168.1.64]) by WEBBSD1.turnaround.com.au (8.8.7/8.8.7) with ESMTP id PAA13925; Thu, 29 Apr 1999 15:04:24 +1000 (EST) (envelope-from A_Johns@TurnAround.com.au) Message-ID: <3727E629.275F333F@TurnAround.com.au> Date: Thu, 29 Apr 1999 14:55:05 +1000 From: Andrew Johns Organization: TurnAround Solutions P/L X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: hjcs@home.com Cc: Guy Helmer , freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules References: <3727B56C.2D8D0ED1@home.com> <3727D06A.23DECCAA@TurnAround.com.au> <3727E51B.6B0C7935@home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Christoff Snijders wrote: > > Andrew Johns wrote: > > > > [snip] > > > > > What you could try is to enable logging - when I was unsure of what > > was happening, I retained the existing rules that I was using and > > added a rule such as: > > ipfw add 65530 deny log all from any to any > > [snip] > > Great idea! I did this, but now my problem is that I don't know how to > interpret the output, or what I should do about what I see. > > There are only two entries in the log file, repeated 50 times each, > before the logger stops for that rule. The entries read: > > Apr 28 21:13:15 hostname /kernel: ipfw: 63000 Deny UDP 0.0.0.0:68 > 255.255.255.255:67 in via ed2 > Apr 28 21:13:15 hostname /kernel: ipfw: 63000 Deny UDP 123.456.78.123:68 > 255.255.255.255:67 in via ed2 > Apr 28 21:13:15 hostname /kernel: ipfw: limit reached on rule #63000 > > I don't really know what this means, but I tried adding the following > rules in the appropriate place in the rule set, but they did not work. > Assume that my IP address is 111.111.111.111: > > ipfw add allow udp from 0.0.0.0 to 111.111.111.111 in via ed2 > ipfw add allow udp from 123.456.78.123 to 111.111.111.111 in via ed2 > Eeek! Never allow something in until you know what it is. http://www.con.wesleyan.edu/~triemer/network/docservs.html identifies port 68 as the bootp client port - so it looks as though someone is trying to boot their machine from yours - I could be wrong on this - anybody else have any ideas? (I'm unaware of any potential security probs with bootp, although I've done no searching to find out either :) ) -- Regards | _/\_/\ Andrew Johns BSc (Comp Sci) | / \ TurnAround Solutions Pty Ltd | \_...__/ http://www.turnaround.com.au/ | \/ "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message