From owner-freebsd-ipfw  Mon May  8 18:18: 9 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130])
	by hub.freebsd.org (Postfix) with ESMTP id 1459B37BA76
	for <freebsd-ipfw@FreeBSD.ORG>; Mon,  8 May 2000 18:18:02 -0700 (PDT)
	(envelope-from dmartin@origen.com)
Received: from origen.com (dubhe.origen [192.168.0.5])
	by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id UAA79819;
	Mon, 8 May 2000 20:17:47 -0500 (CDT)
	(envelope-from dmartin@origen.com)
Message-ID: <391766BD.CCFEE646@origen.com>
Date: Mon, 08 May 2000 20:15:41 -0500
From: Richard Martin <dmartin@origen.com>
X-Mailer: Mozilla 4.7 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Tom Legg <tjlegg@shore.net>
Cc: Mark Murray <mark@grondar.za>, tjlegg@shore.net,
	freebsd-ipfw@FreeBSD.ORG
Subject: Re: Firewall Rules
References: <20000505080928.Q80532@draenor.org>
	 <200005071311.PAA18519@grimreaper.grondar.za> <p04310102b53b25beb504@[207.244.92.51]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG



Tom Legg wrote:

> 
> $fwcmd add allow udp from x.x.x.x 53 to any 1024-65535 in recv tun0
> 
> This at least removes probing of the privileged ports from a remote
> port 53. 

Question.  I have a similar rule in the firewall of our nameserver:

ipfw add allow udp from x.x.x.x 53 to any 1024-65535 out via ed0

Are all DNS replies handled at ports > 1023?

I sometimes get these:

May  8 15:42:21 altair /kernel: ipfw: 7500 Deny UDP X.X.X.X:53 4.17.20.4:673
out via ed0

Legitimate request or probe?

Also, I have denied TCP transfers at port 53 except to our slaves, and I
occasionally get brief bursts of packets like this:

May  8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3835
192.76.144.16:53 out via ed0
May  8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3833
193.0.0.193:53 out via ed0
May  8 15:32:11 altair /kernel: ipfw: 7400 Deny TCP X.X.X.X:3836
198.6.1.182:53 out via ed0

Most of the IPs in these seem to be spoofed. Any idea what sort of attack
signature this is?

-- 
Richard Martin       dmartin@origen.com

OriGen, inc.         Tel: +1 512 474 7278
2525 Hartford Rd.    Fax: +1 512 708 8522
Austin, TX 78703     http://www.origen.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message