Date: Mon, 26 Nov 2001 23:12:32 -0500 (EST) From: Darren Henderson <darren@nighttide.net> To: cjclark@alum.mit.edu Cc: ipfw@FreeBSD.ORG Subject: Re: oddities or misunderstandings? Message-ID: <Pine.BSF.4.40.0111262303430.58309-100000@localhost> In-Reply-To: <20011126115401.D232@gohan.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 26 Nov 2001, Crist J. Clark wrote:
> On Mon, Nov 26, 2001 at 10:55:33AM -0500, Darren Henderson wrote:
> >
> > They don't appear to be coming in through the dynamic rules yet my default
> > final rule (deny ip from any to any) doesn't catch them.
>
> How have you checked this?
Well, not sure how to check it definitively frankly. There are perhaps
dozens of these but not hundreds so they are not terribly predictable.
They tend to come in 4 or 5 at a time (which kind of reenforces the time
out idea). I've just been glancing over the dynamic rules when I notice
one and haven't spied it in there yet. Hardly definitive though.
Guess I will have to install snort and see what I can catch.
> Was the first rule that did catch them also after you check-state?
No, first rule was quite high up in the rules prior to the check-state.
Again making it look like a dynamic rule problem.
> How are you doing the scan? Are there networks which you do not
> control between the scanner and the firewall? It has actually come to
> the point where some ISPs filter some of the most common trojan ports.
Ah, good point, yes, there was another firewall in between us when I ran
the scan, they must have begun doing out bound filtering. That probably
explains that much at least.
______________________________________________________________________
Darren Henderson darren@nighttide.net
Help fight junk e-mail, visit http://www.cauce.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.40.0111262303430.58309-100000>