From owner-freebsd-questions@FreeBSD.ORG Thu Jun 23 14:42:28 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18CBD16A41C for ; Thu, 23 Jun 2005 14:42:28 +0000 (GMT) (envelope-from stephanweaver@hotmail.com) Received: from hotmail.com (bay20-f27.bay20.hotmail.com [64.4.54.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0282F43D48 for ; Thu, 23 Jun 2005 14:42:27 +0000 (GMT) (envelope-from stephanweaver@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 23 Jun 2005 07:42:27 -0700 Message-ID: Received: from 200.108.27.97 by by20fd.bay20.hotmail.msn.com with HTTP; Thu, 23 Jun 2005 14:42:27 GMT X-Originating-IP: [200.108.27.97] X-Originating-Email: [stephanweaver@hotmail.com] X-Sender: stephanweaver@hotmail.com From: "Stephan Weaver" To: freebsd-questions@freebsd.org Date: Thu, 23 Jun 2005 10:42:27 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 23 Jun 2005 14:42:27.0958 (UTC) FILETIME=[C70A7960:01C57801] Subject: IPFILTER 'again' ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 14:42:28 -0000 Hello, I notice this in my /var/log/ipfilter.log. 23/06/2005 10:36:06.691347 vr0 @0:29 b 196.3.132.4,53 -> 192.168.1.1,61827 PR udp len 20 66 IN 23/06/2005 10:36:07.652341 vr0 @0:29 b 196.3.132.4,53 -> 192.168.1.1,61828 PR udp len 20 70 IN Which should never occur. Since My Rules Look like. ipf.rules -- block in all block out all pass in quick on lo0 all pass out quick on lo0 all pass in quick on vr1 all pass out quick on vr1 all pass out quick on vr0 from any to any keep state pass in quick on vr0 proto tcp from 196.3.132.1 to any port = 53 keep state pass in quick on vr0 proto udp from 196.3.132.1 to any port = 53 keep state pass in quick on vr0 proto tcp from 196.3.132.4 to any port = 53 keep state pass in quick on vr0 proto udp from 196.3.132.4 to any port = 53 keep state # Block all inbound traffic from non-routable or reserved address spaces block in log quick on vr0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on vr0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on vr0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on vr0 from 127.0.0.0/8 to any #loopback block in log quick on vr0 from 0.0.0.0/8 to any #loopback block in log quick on vr0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on vr0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on vr0 from 204.152.64.0/23 to any #Sun cluster interconnect block in log quick on vr0 from 224.0.0.0/3 to any #Class D & E multicast # Block frags block in quick on vr0 all with frags # Block short tcp packets block in quick on vr0 proto tcp all with short # Block source routed packets block in quick on vr0 all with opt lsrr block in quick on vr0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on vr0 proto tcp all flags FUP block in log first quick on vr0 proto tcp all flags SF/SFRA block in log first quick on vr0 proto tcp all flags /SFRA block in log first quick on vr0 proto tcp all flags F/SFRA block in log first quick on vr0 proto tcp all flags U/SFRAU block in log first quick on vr0 proto tcp all flags P # Block anything with special options block in quick on vr0 all with ipopts # Block public pings block in log quick on vr0 proto icmp all icmp-type 8 # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops a .denial of service. attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on vr0 all Thanks, Stephan Weaver stephanweaver@hotmail.com _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/