From owner-freebsd-security  Mon Aug 20  6: 0: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from chhsweb.gsu.edu (chhsweb.gsu.edu [131.96.165.5])
	by hub.freebsd.org (Postfix) with ESMTP id E4BBB37B413
	for <freebsd-security@freebsd.org>; Mon, 20 Aug 2001 05:59:58 -0700 (PDT)
	(envelope-from emlyn@chhsweb.gsu.edu)
Received: (from emlyn@localhost)
	by chhsweb.gsu.edu (8.11.3/8.11.3) id f7KD0BY42664
	for freebsd-security@freebsd.org; Mon, 20 Aug 2001 09:00:11 -0400 (EDT)
	(envelope-from emlyn)
Date: Mon, 20 Aug 2001 09:00:10 -0400
From: Emlyn Murphy <emlyn@gsu.edu>
To: freebsd-security@freebsd.org
Subject: yet another ipfw question
Message-ID: <20010820090010.A42499@chhsweb.gsu.edu>
Reply-To: Emlyn Murphy <emlyn@gsu.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Greetings all,
	I have a probably easily answerable question about repeatedly
denied packets.  I run a web server which I use ipfw on to leave open
only the ports I use (undoubtably a common scenario).  The only weird
thing is, every day I get the exact same denied packets.  To me, it
doesn't seem like a potential problem, but I am still curious as to
what causes this sort of thing.  This is what I get for the denied
packets when the security report runs:

> 00900     1995      663805 deny ip from 0.0.0.0/8 to any in recv tl0
> 01800   111327     6146217 deny ip from any to 240.0.0.0/4 in recv tl0
> 65435   183243    28291342 deny log logamount 100 ip from any to any

Which is obviously caught by this set of rules (this is only a snippet of my
rules):

#       Stop draft-manning-dsua-01.txt nets on the outside interface
        $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
        $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
        $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
        $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
        $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
        $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
        $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
        $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
        $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
        $fwcmd add deny all from any to 240.0.0.0/4 in via $oif

I'm in a rather chaotic university environment, so I have come to
expect a certain amount of weird stuff like this.  I was just
wondering if anyone could explain what sort of programs cause this
repetitive behavior.

Thanks in advance!
-- 
Emlyn Murphy <emlyn@gsu.edu>
http://www.emlyn.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message