From owner-freebsd-questions  Tue Jan  1 13:35:58 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from server12.safepages.com (server12.safepages.com [216.127.146.26])
	by hub.freebsd.org (Postfix) with ESMTP id 2153337B419
	for <questions@FreeBSD.ORG>; Tue,  1 Jan 2002 13:35:51 -0800 (PST)
Received: from 5131-073-209.015.popsite.net (5131-073-209.015.popsite.net [64.24.73.209])
	by server12.safepages.com (Postfix) with ESMTP
	id 389491365F2; Tue,  1 Jan 2002 21:35:41 +0000 (GMT)
Received: from 5131-073-209.015.popsite.net (localhost.popsite.net [127.0.0.1])
	by 5131-073-209.015.popsite.net (8.12.1/8.11.3) with ESMTP id g01LZfma003503;
	Tue, 1 Jan 2002 13:35:41 -0800 (PST)
	(envelope-from bri@sonicboom.org)
Received: from localhost (bri@localhost)
	by 5131-073-209.015.popsite.net (8.12.1/8.12.1/Submit) with ESMTP id g01LZfon003500;
	Tue, 1 Jan 2002 13:35:41 -0800 (PST)?g
	(envelope-from bri@sonicboom.org)
X-Authentication-Warning: 5131-073-209.015.popsite.net: bri owned process doing -bs
Date: Tue, 1 Jan 2002 13:35:41 -0800 (PST)
From: Brian Whalen <bri@sonicboom.org>
X-X-Sender: bri@5131-073-209.015.popsite.net
To: Joe & Fhe Barbish <barbish@a1poweruser.com>
Cc: FBSD Questions <questions@FreeBSD.ORG>
Subject: Re: IPFW UDP port# 520
In-Reply-To: <LPBBIGIAAKKEOEJOLEGOGEPBCKAA.barbish@a1poweruser.com>
Message-ID: <20020101133355.F3347-100000@5131-073-209.015.popsite.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Well I'd be a little suspicious due to the lack of a reverse dns entry for
that ip.  According to arin, that ip belongs to Alexia Internet.  This
your isp?  Is that ip your gsteway for traffic back out?

Brian "Sonic" Whalen
Success = Preparation + Opportunity


On Tue, 1 Jan 2002, Joe & Fhe Barbish wrote:

> Happy new year to all FBSD list readers.
>
> I see in my security log a lot of denied packets over and
> over again of the same kind.
>
> Deny UDP 208.203.25.3:520 63.163.61.14:520 in via tun0
>
> 208.203.25.3 is my ISP's IP address and 63.163.61.14 is my IP address.
>
> When I lookup what port 520 is it says a local routing process
>  or  Trojan Ripper.  I think it's my ISP's front door router
> inquiring if I am still there.
> Since my firewall is denying the request it just keeps repeating.
>
> How can I be sure It's my ISP's router and not the Ripper Trojan?
>
> What rules do I need the add to my IPFW rules set to resolve this?
>
> Thanks
>
> Joe
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message