From owner-freebsd-questions@FreeBSD.ORG Mon Jun 27 15:18:40 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F005716A41C for ; Mon, 27 Jun 2005 15:18:40 +0000 (GMT) (envelope-from stephanweaver@hotmail.com) Received: from hotmail.com (bay20-f10.bay20.hotmail.com [64.4.54.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0B3343D5C for ; Mon, 27 Jun 2005 15:18:40 +0000 (GMT) (envelope-from stephanweaver@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Jun 2005 08:18:40 -0700 Message-ID: Received: from 200.108.26.169 by by20fd.bay20.hotmail.msn.com with HTTP; Mon, 27 Jun 2005 15:18:40 GMT X-Originating-IP: [200.108.26.169] X-Originating-Email: [stephanweaver@hotmail.com] X-Sender: stephanweaver@hotmail.com From: "Stephan Weaver" To: freebsd-questions@freebsd.org Date: Mon, 27 Jun 2005 11:18:40 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 27 Jun 2005 15:18:40.0883 (UTC) FILETIME=[7FDB8430:01C57B2B] Subject: IPF Logging packets Every 2-10 Seconds. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 15:18:41 -0000 Hello list, My IPF Firewall System is logging packets almost every 2 - 10 seconds. I would like to narrow this problem down. firewall# cat /etc/ipf.rules block in all block out all pass in quick on lo0 all pass out quick on lo0 all pass out quick on vr0 from any to any keep state pass in quick on vr1 all pass out quick on vr1 all # Block all inbound traffic from non-routable or reserved address spaces block in log quick on vr0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on vr0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on vr0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on vr0 from 127.0.0.0/8 to any #loopback block in log quick on vr0 from 0.0.0.0/8 to any #loopback block in log quick on vr0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on vr0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on vr0 from 204.152.64.0/23 to any #Sun cluster interconnect block in log quick on vr0 from 224.0.0.0/3 to any #Class D & E multicast # Block frags block in quick on vr0 all with frags # Block short tcp packets block in quick on vr0 proto tcp all with short # Block source routed packets block in quick on vr0 all with opt lsrr block in quick on vr0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on vr0 proto tcp all flags FUP block in log first quick on vr0 proto tcp all flags SF/SFRA block in log first quick on vr0 proto tcp all flags /SFRA block in log first quick on vr0 proto tcp all flags F/SFRA block in log first quick on vr0 proto tcp all flags U/SFRAU block in log first quick on vr0 proto tcp all flags P # Block anything with special options block in quick on vr0 all with ipopts # Block public pings block in log quick on vr0 proto icmp all icmp-type 8 # TSTT NameServers pass in quick on vr0 proto tcp/udp from 196.3.132.1 to any keep state pass in quick on vr0 proto tcp/udp from 196.3.132.4 to any keep state # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops a .denial of service. attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on vr0 all firewall# tail -f /var/log/ipfilter.log 27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:13:54.736606 vr0 @0:27 b 138.217.177.128,2840 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:03.585530 vr0 @0:27 b 67.33.99.114,50895 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:06.598363 vr0 @0:27 b 67.33.99.114,50895 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:09.699265 vr0 @0:27 b 200.108.28.115,3053 -> 192.168.1.1,445 PR tcp len 20 48 -S IN 27/06/2005 11:14:12.515511 vr0 @0:27 b 67.33.99.114,50895 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:12.670997 vr0 @0:27 b 200.108.28.115,3053 -> 192.168.1.1,445 PR tcp len 20 48 -S IN 27/06/2005 11:14:14.470027 vr0 @0:27 b 218.212.63.91,1425 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:17.432263 vr0 @0:27 b 218.212.63.91,1425 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:23.439618 vr0 @0:27 b 218.212.63.91,1425 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:29.633637 vr0 @0:27 b 70.186.121.59,4675 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:30.068091 vr0 @0:27 b 138.217.177.128,2905 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:32.592810 vr0 @0:27 b 70.186.121.59,4675 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:32.954266 vr0 @0:27 b 138.217.177.128,2905 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:38.859627 vr0 @0:27 b 70.186.121.59,4675 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:38.993186 vr0 @0:27 b 138.217.177.128,2905 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:03.372975 vr0 @0:27 b 138.217.177.128,2957 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:06.350342 vr0 @0:27 b 138.217.177.128,2957 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:12.289440 vr0 @0:27 b 138.217.177.128,2957 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:14.453865 vr0 @0:27 b 138.217.177.128,2971 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:17.418664 vr0 @0:27 b 138.217.177.128,2971 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:23.462695 vr0 @0:27 b 138.217.177.128,2971 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:53.929698 vr0 @0:27 b 81.18.10.245,3183 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:54.745636 vr0 @0:27 b 70.176.85.4,2263 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:55.988928 vr0 @0:27 b 81.18.10.245,3183 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:58.693653 vr0 @0:27 b 138.217.177.128,3036 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:16:01.582810 vr0 @0:27 b 138.217.177.128,3036 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:16:02.423821 vr0 @0:27 b 81.18.10.245,3183 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/