From owner-freebsd-security Mon Aug 20 13:29:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 61F6037B403 for ; Mon, 20 Aug 2001 13:29:17 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.136.151.Dial1.SanJose1.Level3.net [209.247.136.151]) by falcon.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id NAA15343; Mon, 20 Aug 2001 13:27:57 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7KKPRM64806; Mon, 20 Aug 2001 13:25:27 -0700 (PDT) (envelope-from cjc) Date: Mon, 20 Aug 2001 13:24:57 -0700 From: "Crist J. Clark" To: Emlyn Murphy Cc: freebsd-security@FreeBSD.ORG Subject: Re: yet another ipfw question Message-ID: <20010820132457.J313@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010820090010.A42499@chhsweb.gsu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010820090010.A42499@chhsweb.gsu.edu>; from emlyn@gsu.edu on Mon, Aug 20, 2001 at 09:00:10AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 20, 2001 at 09:00:10AM -0400, Emlyn Murphy wrote: [snip] > > 00900 1995 663805 deny ip from 0.0.0.0/8 to any in recv tl0 Most likely machines looking for DHCP servers. They use 0.0.0.0 as a source address during the discover phase. I've also frequently seen broken packets with source addresses in the 1-net coming in from the Internet. > > 01800 111327 6146217 deny ip from any to 240.0.0.0/4 in recv tl0 Local broadcasts (255.255.255.255) are going to fall into this range. Other than that, there really shouldn't be much going on up there in the Class E range. > > 65435 183243 28291342 deny log logamount 100 ip from any to any You're logging these, so you should see some of them. I assume this is the default deny catching _everything_ that doesn't pass. There is undoubtably a _lot_ of different stuff going on in here. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message