From owner-freebsd-questions Wed Dec 19 13:22:27 2001 Delivered-To: freebsd-questions@freebsd.org Received: from deathrow.mail.pas.earthlink.net (deathrow.mail.pas.earthlink.net [207.217.120.19]) by hub.freebsd.org (Postfix) with ESMTP id 277B737B416 for ; Wed, 19 Dec 2001 13:22:25 -0800 (PST) Received: from scaup.mail.pas.earthlink.net ([207.217.120.49] helo=scaup.prod.itd.earthlink.net) by deathrow.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 16GP7k-0002wy-00 for freebsd-questions@freebsd.org; Tue, 18 Dec 2001 10:37:56 -0800 Received: from sdn-ar-008dcwashp091.dialsprint.net ([63.178.91.179] helo=moo.holy.cow) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16GP6G-00049S-00 for freebsd-questions@freebsd.org; Tue, 18 Dec 2001 10:36:25 -0800 Received: by moo.holy.cow (Postfix, from userid 1001) id 2E65050DE8; Tue, 18 Dec 2001 13:38:19 -0500 (EST) Date: Tue, 18 Dec 2001 13:38:18 -0500 From: parv To: f-q Subject: any way to locate the real source ip of an 10/8 address? Message-ID: <20011218133818.A23891@moo.holy.cow> Mail-Followup-To: f-q Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG is there hope of locating the real ip address behind an 10.0.0.0/8 address in general? i wouldn't have mind it if ipf blocked only a few of them. but i am seeing an ip address blocked very often. below are two of the >90 ipf alerts w/ most relevant information... b 10.112.1.1,80 -> a.b.c.d,port PR tcp len 20 1500 -A 1044505376 3051010357 17140 IN b 10.112.1.1,80 -> a.b.c.d,port PR tcp len 20 817 -AFP 248335848 1496692188 17204 IN ...here is ipf rule for sake of completeness... block in log body quick on tun0 from 10.0.0.0/8 to any group 200 ...somehow it seems to coincide just after images have been loaded from... http://www.timex.com/ ...select "watch finder" from the first page, then any watch line, then "see the entire line" somewhere at the bottom, then wait for the block alerts. -- curious -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message