From owner-freebsd-questions@FreeBSD.ORG Thu Feb 12 10:41:32 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE96D16A4CE for ; Thu, 12 Feb 2004 10:41:32 -0800 (PST) Received: from out8.mx.nwbl.wi.voyager.net (out8.mx.nwbl.wi.voyager.net [169.207.3.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6B2243D1D for ; Thu, 12 Feb 2004 10:41:32 -0800 (PST) (envelope-from dragoncrest@voyager.net) Received: from mail3.mx.voyager.net (mail3.mx.voyager.net [216.93.66.202]) by out8.mx.nwbl.wi.voyager.net (Postfix) with ESMTP id 1116D3FFE6; Thu, 12 Feb 2004 12:41:32 -0600 (CST) Received: from localhost.localdomain (nm5.mx.lnng.mi.voyager.net [216.93.38.231]) by mail3.mx.voyager.net (8.12.9/8.10.2) with ESMTP id i1CIfV7Y007154; Thu, 12 Feb 2004 13:41:31 -0500 (EST) Message-Id: <200402121841.i1CIfV7Y007154@mail3.mx.voyager.net> From: "Dragoncrest" To: Luke Kearney X-Mailer: CoreCommMail X-IPAddress: 209.153.128.248 Date: Thu, 12 Feb 2004 13:41:31 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 cc: freebsd-questions@FreeBSD.ORG Subject: Re: Problem with someone port scanning me X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2004 18:41:32 -0000 Thanks. I'm gonna give this one a spin. Gonna keep scanlogd in the back of my mind as something else to try should this not work. Thanks. One last question. Does IPF work by default or do I have to do anything special? And I'm assuming I just type IPF at the command line and the program does the rest? > > On Thu, 12 Feb 2004 11:12:53 -0500 > Dragoncrest granted us these pearls of wisdom: > > > For the past couple of days I've had someone on our lan port scanning my > > box. Not sure what's up with that, but I'm curious if there's a way to log > > what IP address this is coming from. I don't have IPFW enabled yet as I > > haven't had the time to configure it at this point as it's currently behind > > the company firewall on our T3. Is there a way to log where it's coming > > from? Or is that already being logged somewhere? > > I wonder if you might get some benefit from a couple of simple IPF rules > and a quick portsentry install. > > /etc/ipf.rules > > pass in log on interface0 from any to any > pass out log on interface0 from IP to any > > with the appropriate startup would give you a good idea of the IP > address the scan is comming from. Whether your DHCP server admin will > tell you who that address is is a different matter. > > HTH > > LK > >