Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 11 Aug 2005 19:48:02 +0300
From:      vladone <vladone@spaingsm.com>
To:        freebsd-questions@freebsd.org
Subject:   strange problem with ipfw and some IP
Message-ID:  <218935.20050811194802@spaingsm.com>
next in thread | raw e-mail | index | archive | help 
Hi!
I have this problem:
i see in my traffic, ip's who in via private interface, and is not
from my network class. Packets sended are less. When i try to block
this traffic, after aprximatively 5-10 min. my internal interface stop
responding.
This is an example from ipfw queue show for in private interface:
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 ip           0.0.0.0/0             0.0.0.0/0       51     5618  0    0   0
  9 ip      0.177.220.92/0             0.0.0.0/0        1       60  0    0   0
 15 ip      0.15.133.128/0             0.0.0.0/0        1      234  0    0   0
 17 ip      0.177.220.80/0             0.0.0.0/0        2      120  0    0   0
 20 ip      0.168.101.94/0             0.0.0.0/0       12     1310  0    0   0
 26 ip      0.168.101.89/0             0.0.0.0/0     4604   307265  0    0   0
 27 ip        0.27.112.0/0             0.0.0.0/0        6      534  0    0   0
 98 ip     0.168.101.101/0             0.0.0.0/0       20     6180  0    0   0
106 ip      0.168.101.97/0             0.0.0.0/0      200    25790  0    0   0
108 ip      0.168.101.98/0             0.0.0.0/0      168    11498  0    0   0
154 ip      0.168.101.25/0             0.0.0.0/0       99     7196  0    0   0
156 ip      0.168.101.26/0             0.0.0.0/0      467    26948  0    0   0
162 ip       0.168.101.5/0             0.0.0.0/0        2      166  0    0   0
164 ip       0.168.101.6/0             0.0.0.0/0     5057   305146  0    0   0
178 ip      0.168.101.13/0             0.0.0.0/0      153    10874  0    0   0
184 ip       0.168.101.8/0             0.0.0.0/0     5765   359913  0    0   0
188 ip      0.168.101.10/0             0.0.0.0/0     2612   802506  0    0   0
206 ip      0.168.101.51/0             0.0.0.0/0       44     4516  0    0   0
234 ip     0.168.101.161/0             0.0.0.0/0        7     1008  0    0   0
244 ip      0.168.101.46/0             0.0.0.0/0      407    41688  0    0   0
252 ip         0.0.7.254/0             0.0.0.0/0        1       60  0    0   0
 My internal network class is 192.168.101.0/24.
 For out from private interface i dont see any suspect ip. Only
 packets destinated to my private network.
 I thinks is a kind of attack but i dont see anything in my logs, and
 arp table show only mac for real traffic.
 Please help me with this!

 P.S
 Rules in ipfw look like this:
 $cmd pipe 4 config bw $up
 $cmd queue 4 config pipe 4 weight 5 mask src-ip 0xffffff
 $cmd add 400 queue 4 ip from any to any in via $lif
 ....
 $lif is my private interface

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?218935.20050811194802>