From owner-freebsd-questions@FreeBSD.ORG Fri Jun 10 02:19:20 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5157E16A41C for ; Fri, 10 Jun 2005 02:19:20 +0000 (GMT) (envelope-from kgupta@edgefocus.com) Received: from valiant.cnchost.com (valiant.concentric.net [207.155.252.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0438643D1D for ; Fri, 10 Jun 2005 02:19:15 +0000 (GMT) (envelope-from kgupta@edgefocus.com) Received: from [127.0.0.1] (c-24-126-88-178.hsd1.ca.comcast.net [24.126.88.178]) by valiant.cnchost.com id WAA13454; Thu, 9 Jun 2005 22:19:15 -0400 (EDT) [ConcentricHost SMTP Relay 1.17] Errors-To: Message-ID: <42A8F897.6060305@edgefocus.com> Date: Thu, 09 Jun 2005 19:19:03 -0700 From: Karan Gupta Organization: EdgeFocus Inc User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: help! Strange traffic X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2005 02:19:20 -0000 Hi Im running a fBSD T1 router(a gatewat with a sangoma 514 csu/dsu card) that performs dhcp, nat, ipfw firewall. FreeBSD rtr-eee.eeee.com 4.8-RELEASE FreeBSD 4.8-RELEASE #4: Thu Jul 31 04:47:04 PDT 2003 root@:/usr/src/sys/compile/GENERIC i386 Im seeing the following traffic on doing tcpdump on the external interface 01:12:15.875308 201.93.36.43.1913 > web.visp.ashosting.nl.http: S 1396310016:1396310016(0) win 16384 01:12:15.876288 201.93.36.41.1587 > web.visp.ashosting.nl.http: S 802357248:802357248(0) win 16384 01:12:15.885340 201.93.37.127.cuillamartin > web.visp.ashosting.nl.http: S 1656750080:1656750080(0) win 16384 01:12:15.886056 201.93.36.250.1194 > web.visp.ashosting.nl.http: S 1188954112:1188954112(0) win 16384 01:12:15.886794 201.93.36.118.1613 > web.visp.ashosting.nl.http: S 474546176:474546176(0) win 16384 01:12:15.887628 201.93.36.120.1135 > web.visp.ashosting.nl.http: S 224526336:224526336(0) win 16384 01:12:15.895344 201.93.37.129.1073 > web.visp.ashosting.nl.http: S 5767168:5767168(0) win 16384 01:12:15.896286 201.93.37.131.timbuktu-srv3 > web.visp.ashosting.nl.http: S 2056323072:2056323072(0) win 16384 01:12:15.905302 201.93.37.225.1341 > web.visp.ashosting.nl.http: S 2125070336:2125070336(0) win 16384 01:12:15.906042 201.93.37.223.docstor > web.visp.ashosting.nl.http: S 1558642688:1558642688(0) win 16384 01:12:15.915253 201.93.38.91.1842 > web.visp.ashosting.nl.http: S 1312751616:1312751616(0) win 16384 01:12:15.916105 201.93.38.89.1326 > web.visp.ashosting.nl.http: S 1620377600:1620377600(0) win 16384 The 201.x.x.x is NOT from my local network. That would mean that web.visp.ashosting.nl is being hosted on my network(weird!!)) ???? This name doesnt resolve to any IP address either. How do i block this. I tried blocking 201.93.0.0/16 but then the traffic started coming from 195.x.x.x Help!!!!!!