Date: Mon, 29 May 2000 01:23:31 -0400 (EDT) From: Omachonu Ogali <oogali@intranova.net> To: David Schooley <dcschooley@ieee.org> Cc: freebsd-net@freebsd.org Subject: Re: Strange Network Traffic Message-ID: <Pine.BSF.4.10.10005290122520.532-100000@hydrant.intranova.net> In-Reply-To: <p04310100b557a2f38662@[192.168.1.4]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 May 2000, David Schooley wrote: > Hi, > > My FreeBSD 4.0-Stable box is part of a LAN that gets out onto the > internet via a Linksys Cable/DSL router and cable modem. I used to > route packets through the FreeBSD box using NAT, but the Linksys > thing lets me do strange things to the BSD side without cutting off > the rest of the network from the internet. I am the only user on the > LAN. The Linksys router acts as a firewall, but since I don't really > know how good it is for that, I am using ipfw to provide backup > protection for the FreeBSD box. > > The router's IP address is 192.168.1.1 to the LAN. The IP address of > the FreeBSD box is 192.168.1.2 on fxp0. Both address are fixed. fxp1 > is a second ethernet card on the FreeBSD machine, but it only carries > AppleTalk traffic and does not have an IP address. > > My ruleset looks like this: > > 00100 allow ip from any to any via lo0 > 00200 deny log logamount 100 ip from any to 127.0.0.0/8 > 00250 deny log logamount 100 ip from 127.0.0.0/8 to any via fxp0 > 00300 allow ip from 192.168.1.2 to 192.168.1.0/24 > 00400 allow ip from 192.168.1.0/24 to 192.168.1.2 > 00500 check-state > 00600 allow ip from any to any frag > 00700 allow tcp from 192.168.1.2 to any keep-state setup > 00800 allow udp from any 53 to 192.168.1.2 > 00900 allow udp from 192.168.1.2 to any 53 > 01000 deny log logamount 100 ip from any to any > 65535 deny ip from any to any > > I log all failures so that I can see what makes it through the > Linksys. Now for the question, the following shows up in the security > log: > > May 25 23:30:00 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1030 > 255.255.255.255:162 in via fxp1 > May 25 23:30:00 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1030 > 255.255.255.255:162 in via fxp0 > > and later, it happens again: > > May 28 16:52:04 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1031 > 255.255.255.255:162 in via fxp1 > May 28 16:52:04 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1031 > 255.255.255.255:162 in via fxp0 > > The Linksys shouldn't be doing anything with SNMP, so are evil > crackers trying to do something? > > The router is broadcasting SNMP traps (port 162) to the LAN. -- +-----------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://www.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: 8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-----------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10005290122520.532-100000>