From owner-freebsd-net Sun May 28 22:22:28 2000 Delivered-To: freebsd-net@freebsd.org Received: from hydrant.intranova.net (hydrant.intranova.net [209.201.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 3741B37BA4C for ; Sun, 28 May 2000 22:22:19 -0700 (PDT) (envelope-from oogali@intranova.net) Received: from localhost (localhost [127.0.0.1]) by hydrant.intranova.net (Postfix) with ESMTP id 6A9CAE0CCD; Mon, 29 May 2000 01:23:31 -0400 (EDT) Date: Mon, 29 May 2000 01:23:31 -0400 (EDT) From: Omachonu Ogali To: David Schooley Cc: freebsd-net@freebsd.org Subject: Re: Strange Network Traffic In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 29 May 2000, David Schooley wrote: > Hi, > > My FreeBSD 4.0-Stable box is part of a LAN that gets out onto the > internet via a Linksys Cable/DSL router and cable modem. I used to > route packets through the FreeBSD box using NAT, but the Linksys > thing lets me do strange things to the BSD side without cutting off > the rest of the network from the internet. I am the only user on the > LAN. The Linksys router acts as a firewall, but since I don't really > know how good it is for that, I am using ipfw to provide backup > protection for the FreeBSD box. > > The router's IP address is 192.168.1.1 to the LAN. The IP address of > the FreeBSD box is 192.168.1.2 on fxp0. Both address are fixed. fxp1 > is a second ethernet card on the FreeBSD machine, but it only carries > AppleTalk traffic and does not have an IP address. > > My ruleset looks like this: > > 00100 allow ip from any to any via lo0 > 00200 deny log logamount 100 ip from any to 127.0.0.0/8 > 00250 deny log logamount 100 ip from 127.0.0.0/8 to any via fxp0 > 00300 allow ip from 192.168.1.2 to 192.168.1.0/24 > 00400 allow ip from 192.168.1.0/24 to 192.168.1.2 > 00500 check-state > 00600 allow ip from any to any frag > 00700 allow tcp from 192.168.1.2 to any keep-state setup > 00800 allow udp from any 53 to 192.168.1.2 > 00900 allow udp from 192.168.1.2 to any 53 > 01000 deny log logamount 100 ip from any to any > 65535 deny ip from any to any > > I log all failures so that I can see what makes it through the > Linksys. Now for the question, the following shows up in the security > log: > > May 25 23:30:00 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1030 > 255.255.255.255:162 in via fxp1 > May 25 23:30:00 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1030 > 255.255.255.255:162 in via fxp0 > > and later, it happens again: > > May 28 16:52:04 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1031 > 255.255.255.255:162 in via fxp1 > May 28 16:52:04 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1031 > 255.255.255.255:162 in via fxp0 > > The Linksys shouldn't be doing anything with SNMP, so are evil > crackers trying to do something? > > The router is broadcasting SNMP traps (port 162) to the LAN. -- +-----------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://www.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: 8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-----------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message