From owner-freebsd-questions@FreeBSD.ORG Fri Dec 5 02:34:04 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFF5F16A4CE for ; Fri, 5 Dec 2003 02:34:04 -0800 (PST) Received: from dns11.mail.yahoo.co.jp (dns11.mail.yahoo.co.jp [210.81.151.144]) by mx1.FreeBSD.org (Postfix) with SMTP id 0E7E743FBF for ; Fri, 5 Dec 2003 02:34:03 -0800 (PST) (envelope-from ayakokiko@ybb.ne.jp) Received: from unknown (HELO gorgon.near.this) (219.11.234.11 with poptime) by dns11.mail.yahoo.co.jp with SMTP; 5 Dec 2003 10:34:01 -0000 X-Apparently-From: Received: from ghost.near.this (ghost.near.this [10.0.3.9]) by gorgon.near.this (Postfix) with ESMTP id DEC057F81; Fri, 5 Dec 2003 19:33:55 +0900 (JST) Received: by ghost.near.this (Postfix, from userid 100) id 1903E19320; Fri, 5 Dec 2003 19:33:53 +0900 (JST) Date: Fri, 5 Dec 2003 19:33:49 +0900 From: horio shoichi To: Jez Hancock In-Reply-To: <20031205002412.GA37507@users.munk.nu> References: <20031205002412.GA37507@users.munk.nu> X-Mailer: Sylpheed version 0.9.6claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <20031205.103353.985d01b49b9f3980.10.0.3.9@bugsgrief.net> cc: FreeBSD Questions List Subject: Re: ipfilter traffic blocking and tcpdump snort etc X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2003 10:34:05 -0000 On Fri, 5 Dec 2003 00:24:12 +0000 Jez Hancock wrote: > Hi, > > I've blocked a dozen or so addresses using ipfilter: > > block in quick on fxp0 from 208.186.60.116 to any > block in quick on fxp0 from 216.230.149.11 to any > > etc > > but I still see a lot of traffic those hosts in trafshow, snort and > other packet capturing utils. Why is this? > > Is there any alternative method of blocking access from certain hosts > so that this traffic is not 'seen' by higher level /userland apps? > > As background, the blocked hosts were part of a denial of service attack > which has been going on for a few hours now. The attack was aimed at > port 80, although an odd artifact is that no httpd log entries were made > for any of the hosts attempting to connect on port 80. > > A cursory nmap scan of a few of the hosts shows that all hosts had both > port 25 and 80 open, but none of the hosts accepted connections on > either of those ports. Any idea what kind of attack this could be? > > -- > Jez Hancock > - System Administrator / PHP Developer > > http://munk.nu/ > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > You are probably seeing the supposedly blocked packets on the "outside" of network. Observe them on "inside", i.e., on the interface not fxp0. What you are seeing are packets ipfilter is just about to handle. I don't understand your second question. Are you thinking about tcp wrapper, reset feature of snort, etc ? horio shoichi