From owner-freebsd-questions Thu Oct 4 5:41:17 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.the-i-pa.com (mail.the-i-pa.com [151.201.71.132]) by hub.freebsd.org (Postfix) with SMTP id 81A6037B406 for ; Thu, 4 Oct 2001 05:41:08 -0700 (PDT) Received: (qmail 6403 invoked from network); 4 Oct 2001 12:53:02 -0000 Received: from unknown (HELO proxy.the-i-pa.com) (151.201.71.210) by mail.the-i-pa.com with SMTP; 4 Oct 2001 12:53:02 -0000 Content-Type: text/plain; charset="iso-8859-1" From: Bill Moran Organization: Potential Technology To: "Robin P. Blanchard" , stable@freebsd.org Subject: Re: ipfilter/ipnat question Date: Thu, 4 Oct 2001 08:44:06 -0400 X-Mailer: KMail [version 1.2] References: <3BBC56A5.CA8F47E4@gactr.uga.edu> In-Reply-To: <3BBC56A5.CA8F47E4@gactr.uga.edu> Cc: questions@freebsd.org MIME-Version: 1.0 Message-Id: <01100408440601.01917@proxy.the-i-pa.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [This belongs on -questions, I've cced] On Thursday 04 October 2001 08:31, Robin P. Blanchard wrote: > every now and then in my ipflog i see that ipfilter has blocked packets > from the internet destined for machines on my internal network: > > 01/10/2001 19:30:54.722906 3x dc0 @0:23 b 207.68.131.21,80 -> > 192.168.0.126,1045 PR tcp len 20 1500 -A IN > 01/10/2001 19:40:50.351123 dc0 @0:23 b 207.46.106.81,80 -> > 192.168.0.126,1033 PR tcp len 20 1500 -A IN > 02/10/2001 17:43:47.320547 50x dc0 @0:23 b 128.192.37.79,20 -> > 192.168.0.126,1148 PR tcp len 20 1500 -A IN > > > my question is: how is it that my internal IPs are getting to these > hosts in the first place? shouldn't ipnat have taken care of that on the > way out? They probably aren't. Do a traceroute to some well-known sites (such as yahoo). Chances are that your ISP is using RFC-1918 addys on their internal routing. Stupid idea, but it's become commonplace to do it. IPv6 needs to come into use soon. This internet thing is such a mess that it amazes me that it works at all! -- Bill Moran Potential Technology technical services (412) 793-4257 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message