Date: Mon, 08 May 2000 20:15:41 -0500 From: Richard Martin <dmartin@origen.com> To: Tom Legg <tjlegg@shore.net> Cc: Mark Murray <mark@grondar.za>, tjlegg@shore.net, freebsd-ipfw@FreeBSD.ORG Subject: Re: Firewall Rules Message-ID: <391766BD.CCFEE646@origen.com> References: <20000505080928.Q80532@draenor.org> <200005071311.PAA18519@grimreaper.grondar.za> <p04310102b53b25beb504@[207.244.92.51]>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Legg wrote: > > $fwcmd add allow udp from x.x.x.x 53 to any 1024-65535 in recv tun0 > > This at least removes probing of the privileged ports from a remote > port 53. Question. I have a similar rule in the firewall of our nameserver: ipfw add allow udp from x.x.x.x 53 to any 1024-65535 out via ed0 Are all DNS replies handled at ports > 1023? I sometimes get these: May 8 15:42:21 altair /kernel: ipfw: 7500 Deny UDP X.X.X.X:53 4.17.20.4:673 out via ed0 Legitimate request or probe? Also, I have denied TCP transfers at port 53 except to our slaves, and I occasionally get brief bursts of packets like this: May 8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3835 192.76.144.16:53 out via ed0 May 8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3833 193.0.0.193:53 out via ed0 May 8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3836 198.6.1.182:53 out via ed0 Most of the IPs in these seem to be spoofed. Any idea what sort of attack signature this is? -- Richard Martin dmartin@origen.com OriGen, inc. Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 http://www.origen.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?391766BD.CCFEE646>