Date: Sun, 23 Oct 2011 00:06:40 -0400 From: Barney Wolff <barney@databus.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-net@freebsd.org Subject: Re: IPFW shows me Strangeness in fresh 8.2-RELEASE system Message-ID: <20111023040640.GA91490@pit.databus.com> In-Reply-To: <29994.1319330864@tristatelogic.com> References: <29994.1319330864@tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I would bet that all of those packets are being sent to the broadcast ethernet address. Certainly the DHCP and RIP packets are likely to have been. Try running tcpdump with -e to see if that's right. There's a lot of junk on DSL; live with it. Unless the volume is a significant fraction of your bandwidth, it's harmless. On Sat, Oct 22, 2011 at 05:47:44PM -0700, Ronald F. Guilmette wrote: > > I've been slowly bringing up a fresh new 8.2-RELEASE system on one of my > static IPs, and I've set up some minimalist ipfw rules, just for the time > being, to try to protect it from Evil Invaders. I arranged for these rules > to log all unexpected inbound packets coming in via the one and only ethernet > card. > > The card has been ifconfig'd as follows: > > ifconfig_rl0="inet 69.62.255.119 netmask 255.255.255.0" > > I'll admit to being ignorant about many of the finer details of networking > generally, but to my way of thinking, the above configuration should cause > the card to really only listen for inbound packets addressed to 69.62.255.119. > Yes? No? > > Well, anyway, that's been my experience in the past. > > The odd thing is that I'm getting some inbound packets logged by my final > ``catch all'' deny & log rule in my IPFW rules list, where the destination > IP address on the packets being logged is *not* 69.62.255.119. > > This is absolutely puzzling to me, and I hope that somebody can explain it > to me. I mean how can this occur? The destination IP addresses in question > aren;t even in the same /24 as my machine, so I really don;t understand how > or why my card is even receiving these packets. > > The inbound packets in question are not really a problem. I can easily > figure out how to add additional ipfw rules to block them completely. > But the very fact that my ethernet card is even hearing them, given its > configured IP address, is rather disturbing to me, because it obviously > means that there's something deep going on here that I just don't understand, > but I would like to understand it. > > The packets in question seem to come in three flavors. About 1/3 of them look > like this in the /var/log/security file: > > Oct 22 17:12:38 coredump kernel: ipfw: 1600 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via rl0 > > Some others look like this: > > Oct 22 17:12:27 coredump kernel: ipfw: 1600 Deny UDP 67.159.149.215:50669 255.255.255.255:2223 in via rl0 > > Still others look like this: > > Oct 22 17:12:01 coredump kernel: ipfw: 1600 Deny UDP 67.159.139.178:520 67.159.139.191:520 in via rl0 > > The destination addresses for all of the logged packets represented above are > quite clearly *not* the IP address of the machine I'm setting up. Not even > close. > > Note that the machine I've been setting up is on a static IP address on an > ordinary end-luser DSL line. Note also that all addresses within the > 67.159.128.0/19 block belong to my own ISP, Surewest Broadband. So it would > seem to be the case that some other folks or businesses who use my same ISP > may perhaps be sending out some funny (and misdirected?) packets, but that's > not an issue that concerns me. What does concern me is just that fact that > my ethernet card seems to be listening to packets that aren't even addressed > to it, and I really just don't understand why. > > Any enlightenment would be appreciated. > > > Regards, > rfg > > > P.S. This is the first time I've ever touched FreeBSD 8.x. I've been using > 7.x releases in the past however, and before that 6.x and 5.x releases and > I've really never seen anything quite like this before. Do 8.x releases now > cause ethernet cards to listen for stuff they should not even be listening > for? > > Color me perplexed. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- Barney Wolff I never met a computer I didn't like.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111023040640.GA91490>