From owner-freebsd-net@FreeBSD.ORG Sun Oct 23 04:22:40 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA7471065673 for ; Sun, 23 Oct 2011 04:22:40 +0000 (UTC) (envelope-from barney@pit.databus.com) Received: from out.smtp-auth.no-ip.com (out.smtp-auth.no-ip.com [8.23.224.60]) by mx1.freebsd.org (Postfix) with ESMTP id 94DC38FC0A for ; Sun, 23 Oct 2011 04:22:40 +0000 (UTC) X-No-IP: databus.com@noip-smtp X-No-IP: databus.com@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from pit.databus.com (pool-96-232-115-103.nycmny.fios.verizon.net [96.232.115.103]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: databus.com@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTPSA id A57DF40033F; Sat, 22 Oct 2011 21:06:44 -0700 (PDT) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.14.5/8.14.5) with ESMTP id p9N46gDW091674; Sun, 23 Oct 2011 00:06:42 -0400 (EDT) (envelope-from barney@pit.databus.com) X-DKIM: Sendmail DKIM Filter v2.8.3 pit.databus.com p9N46gDW091674 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=databus.com; s=20091218; t=1319342803; bh=Zf5VYW7mOLrHR+qkatFwj86Uvimtxq6hylIjLhoZrYw=; l=4070; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=W4lIJmhTKs2DiEJv+vxZMM1pz/QDAJw2AjxkCfBf1kxFYi/5n8GQ973IUNJgsSCeI 6Q6+Q+QgPuMxKIvl4BkTS2wjogzpxXwnggLJZ9UI5dFkhD5RNb8i/ccRZ3Aa5mGVyR arx/cjRTtBHAKiG3HnSNdUeJPc/97MrdBXNY8aCI= Received: (from barney@localhost) by pit.databus.com (8.14.5/8.14.5/Submit) id p9N46eV2091673; Sun, 23 Oct 2011 00:06:40 -0400 (EDT) (envelope-from barney) Date: Sun, 23 Oct 2011 00:06:40 -0400 From: Barney Wolff To: "Ronald F. Guilmette" Message-ID: <20111023040640.GA91490@pit.databus.com> References: <29994.1319330864@tristatelogic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <29994.1319330864@tristatelogic.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-net@freebsd.org Subject: Re: IPFW shows me Strangeness in fresh 8.2-RELEASE system X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2011 04:22:40 -0000 I would bet that all of those packets are being sent to the broadcast ethernet address. Certainly the DHCP and RIP packets are likely to have been. Try running tcpdump with -e to see if that's right. There's a lot of junk on DSL; live with it. Unless the volume is a significant fraction of your bandwidth, it's harmless. On Sat, Oct 22, 2011 at 05:47:44PM -0700, Ronald F. Guilmette wrote: > > I've been slowly bringing up a fresh new 8.2-RELEASE system on one of my > static IPs, and I've set up some minimalist ipfw rules, just for the time > being, to try to protect it from Evil Invaders. I arranged for these rules > to log all unexpected inbound packets coming in via the one and only ethernet > card. > > The card has been ifconfig'd as follows: > > ifconfig_rl0="inet 69.62.255.119 netmask 255.255.255.0" > > I'll admit to being ignorant about many of the finer details of networking > generally, but to my way of thinking, the above configuration should cause > the card to really only listen for inbound packets addressed to 69.62.255.119. > Yes? No? > > Well, anyway, that's been my experience in the past. > > The odd thing is that I'm getting some inbound packets logged by my final > ``catch all'' deny & log rule in my IPFW rules list, where the destination > IP address on the packets being logged is *not* 69.62.255.119. > > This is absolutely puzzling to me, and I hope that somebody can explain it > to me. I mean how can this occur? The destination IP addresses in question > aren;t even in the same /24 as my machine, so I really don;t understand how > or why my card is even receiving these packets. > > The inbound packets in question are not really a problem. I can easily > figure out how to add additional ipfw rules to block them completely. > But the very fact that my ethernet card is even hearing them, given its > configured IP address, is rather disturbing to me, because it obviously > means that there's something deep going on here that I just don't understand, > but I would like to understand it. > > The packets in question seem to come in three flavors. About 1/3 of them look > like this in the /var/log/security file: > > Oct 22 17:12:38 coredump kernel: ipfw: 1600 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via rl0 > > Some others look like this: > > Oct 22 17:12:27 coredump kernel: ipfw: 1600 Deny UDP 67.159.149.215:50669 255.255.255.255:2223 in via rl0 > > Still others look like this: > > Oct 22 17:12:01 coredump kernel: ipfw: 1600 Deny UDP 67.159.139.178:520 67.159.139.191:520 in via rl0 > > The destination addresses for all of the logged packets represented above are > quite clearly *not* the IP address of the machine I'm setting up. Not even > close. > > Note that the machine I've been setting up is on a static IP address on an > ordinary end-luser DSL line. Note also that all addresses within the > 67.159.128.0/19 block belong to my own ISP, Surewest Broadband. So it would > seem to be the case that some other folks or businesses who use my same ISP > may perhaps be sending out some funny (and misdirected?) packets, but that's > not an issue that concerns me. What does concern me is just that fact that > my ethernet card seems to be listening to packets that aren't even addressed > to it, and I really just don't understand why. > > Any enlightenment would be appreciated. > > > Regards, > rfg > > > P.S. This is the first time I've ever touched FreeBSD 8.x. I've been using > 7.x releases in the past however, and before that 6.x and 5.x releases and > I've really never seen anything quite like this before. Do 8.x releases now > cause ethernet cards to listen for stuff they should not even be listening > for? > > Color me perplexed. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- Barney Wolff I never met a computer I didn't like.