Date: Thu, 23 Jun 2005 10:42:27 -0400 From: "Stephan Weaver" <stephanweaver@hotmail.com> To: freebsd-questions@freebsd.org Subject: IPFILTER 'again' ? Message-ID: <BAY20-F271D2273E9724F83E2D293A8EA0@phx.gbl>
next in thread | raw e-mail | index | archive | help
Hello, I notice this in my /var/log/ipfilter.log. 23/06/2005 10:36:06.691347 vr0 @0:29 b 196.3.132.4,53 -> 192.168.1.1,61827 PR udp len 20 66 IN 23/06/2005 10:36:07.652341 vr0 @0:29 b 196.3.132.4,53 -> 192.168.1.1,61828 PR udp len 20 70 IN Which should never occur. Since My Rules Look like. ipf.rules -- block in all block out all pass in quick on lo0 all pass out quick on lo0 all pass in quick on vr1 all pass out quick on vr1 all pass out quick on vr0 from any to any keep state pass in quick on vr0 proto tcp from 196.3.132.1 to any port = 53 keep state pass in quick on vr0 proto udp from 196.3.132.1 to any port = 53 keep state pass in quick on vr0 proto tcp from 196.3.132.4 to any port = 53 keep state pass in quick on vr0 proto udp from 196.3.132.4 to any port = 53 keep state # Block all inbound traffic from non-routable or reserved address spaces block in log quick on vr0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on vr0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on vr0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on vr0 from 127.0.0.0/8 to any #loopback block in log quick on vr0 from 0.0.0.0/8 to any #loopback block in log quick on vr0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on vr0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on vr0 from 204.152.64.0/23 to any #Sun cluster interconnect block in log quick on vr0 from 224.0.0.0/3 to any #Class D & E multicast # Block frags block in quick on vr0 all with frags # Block short tcp packets block in quick on vr0 proto tcp all with short # Block source routed packets block in quick on vr0 all with opt lsrr block in quick on vr0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on vr0 proto tcp all flags FUP block in log first quick on vr0 proto tcp all flags SF/SFRA block in log first quick on vr0 proto tcp all flags /SFRA block in log first quick on vr0 proto tcp all flags F/SFRA block in log first quick on vr0 proto tcp all flags U/SFRAU block in log first quick on vr0 proto tcp all flags P # Block anything with special options block in quick on vr0 all with ipopts # Block public pings block in log quick on vr0 proto icmp all icmp-type 8 # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops a .denial of service. attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on vr0 all Thanks, Stephan Weaver stephanweaver@hotmail.com _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY20-F271D2273E9724F83E2D293A8EA0>