From owner-freebsd-questions@FreeBSD.ORG Fri Mar 28 07:34:20 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3111C37B401 for ; Fri, 28 Mar 2003 07:34:20 -0800 (PST) Received: from conure.mail.pas.earthlink.net (conure.mail.pas.earthlink.net [207.217.120.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE59F43F3F for ; Fri, 28 Mar 2003 07:34:19 -0800 (PST) (envelope-from walterk1@earthlink.net) Received: from user-0cal9lv.cable.mindspring.com ([24.170.166.191] helo=earthlink.net) by conure.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 18yvs3-0002GF-00 for freebsd-questions@FreeBSD.org; Fri, 28 Mar 2003 07:34:19 -0800 Message-ID: <3E846B78.10607@earthlink.net> Date: Fri, 28 Mar 2003 10:34:16 -0500 From: Walter User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Questions Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-5.5 required=5.0 tests=HOT_NASTY,USER_AGENT_MOZILLA_UA autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: ipfw question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2003 15:34:21 -0000 Hi all, I see a strange entry in my mail log from the ipfw log output. I don't really have a firm grasp on ipfw yet and need help understanding how this log entry came about (17 times), below: > ipfw: 1700 Deny TCP 0.0.0.0:80 192.168.xxx.xxx:49339 in via fxp0 The output of "ipfw list" starts as: 00100 allow ip from any to any via lo0 00200 deny log logamount 100 ip from any to 127.0.0.0/8 00300 deny log logamount 100 ip from 192.168.1.0/24 to any in recv fxp0 00400 deny log logamount 100 ip from 24.170.166.0/24 to any in recv ep0 00500 deny log logamount 100 ip from any to 10.0.0.0/8 via fxp0 00600 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0 00700 deny log logamount 100 ip from any to 192.168.0.0/16 via fxp0 00800 deny log logamount 100 ip from any to 0.0.0.0/8 via fxp0 00900 deny log logamount 100 ip from any to 169.254.0.0/16 via fxp0 01000 deny log logamount 100 ip from any to 192.0.2.0/24 via fxp0 01100 deny log logamount 100 ip from any to 224.0.0.0/4 via fxp0 01200 deny log logamount 100 ip from any to 240.0.0.0/4 via fxp0 01300 divert 8668 ip from any to any via fxp0 01400 deny log logamount 100 ip from 10.0.0.0/8 to any via fxp0 01500 deny log logamount 100 ip from 172.16.0.0/12 to any via fxp0 01600 deny log logamount 100 ip from 192.168.0.0/16 to any via fxp0 01700 deny log logamount 100 ip from 0.0.0.0/8 to any via fxp0 01800 deny log logamount 100 ip from 169.254.0.0/16 to any via fxp0 01900 deny log logamount 100 ip from 192.0.2.0/24 to any via fxp0 02000 deny log logamount 100 ip from 224.0.0.0/4 to any via fxp0 02100 deny log logamount 100 ip from 240.0.0.0/4 to any via fxp0 My question is how come rule 00700 did not kick out the prober, rather falling to rule 01700?? I realize the log amounts are limited, but how did rule 01700 get activated when rule 00700, seems to me, should have knocked out the packet? Is this evidence of someone having broken into my FBSD router, as there are no other entries I've seen to other possible internal IP's, or was someone just lucky? Thanks. Walter