From owner-freebsd-questions@FreeBSD.ORG Thu Aug 11 16:48:27 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0FC116A41F for ; Thu, 11 Aug 2005 16:48:27 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EAC843D46 for ; Thu, 11 Aug 2005 16:48:26 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id DFC3424C7E5 for ; Thu, 11 Aug 2005 18:35:20 +0200 (CEST) Date: Thu, 11 Aug 2005 19:48:02 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <218935.20050811194802@spaingsm.com> To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: strange problem with ipfw and some IP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 16:48:28 -0000 Hi! I have this problem: i see in my traffic, ip's who in via private interface, and is not from my network class. Packets sended are less. When i try to block this traffic, after aprximatively 5-10 min. my internal interface stop responding. This is an example from ipfw queue show for in private interface: BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 0.0.0.0/0 0.0.0.0/0 51 5618 0 0 0 9 ip 0.177.220.92/0 0.0.0.0/0 1 60 0 0 0 15 ip 0.15.133.128/0 0.0.0.0/0 1 234 0 0 0 17 ip 0.177.220.80/0 0.0.0.0/0 2 120 0 0 0 20 ip 0.168.101.94/0 0.0.0.0/0 12 1310 0 0 0 26 ip 0.168.101.89/0 0.0.0.0/0 4604 307265 0 0 0 27 ip 0.27.112.0/0 0.0.0.0/0 6 534 0 0 0 98 ip 0.168.101.101/0 0.0.0.0/0 20 6180 0 0 0 106 ip 0.168.101.97/0 0.0.0.0/0 200 25790 0 0 0 108 ip 0.168.101.98/0 0.0.0.0/0 168 11498 0 0 0 154 ip 0.168.101.25/0 0.0.0.0/0 99 7196 0 0 0 156 ip 0.168.101.26/0 0.0.0.0/0 467 26948 0 0 0 162 ip 0.168.101.5/0 0.0.0.0/0 2 166 0 0 0 164 ip 0.168.101.6/0 0.0.0.0/0 5057 305146 0 0 0 178 ip 0.168.101.13/0 0.0.0.0/0 153 10874 0 0 0 184 ip 0.168.101.8/0 0.0.0.0/0 5765 359913 0 0 0 188 ip 0.168.101.10/0 0.0.0.0/0 2612 802506 0 0 0 206 ip 0.168.101.51/0 0.0.0.0/0 44 4516 0 0 0 234 ip 0.168.101.161/0 0.0.0.0/0 7 1008 0 0 0 244 ip 0.168.101.46/0 0.0.0.0/0 407 41688 0 0 0 252 ip 0.0.7.254/0 0.0.0.0/0 1 60 0 0 0 My internal network class is 192.168.101.0/24. For out from private interface i dont see any suspect ip. Only packets destinated to my private network. I thinks is a kind of attack but i dont see anything in my logs, and arp table show only mac for real traffic. Please help me with this! P.S Rules in ipfw look like this: $cmd pipe 4 config bw $up $cmd queue 4 config pipe 4 weight 5 mask src-ip 0xffffff $cmd add 400 queue 4 ip from any to any in via $lif .... $lif is my private interface