From owner-freebsd-questions@FreeBSD.ORG Fri Jun 10 02:43:34 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D495A16A41C for ; Fri, 10 Jun 2005 02:43:34 +0000 (GMT) (envelope-from mpsouza@centroin.com.br) Received: from gorgo.centroin.com.br (gorgo.centroin.com.br [200.225.63.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37C2D43D1F for ; Fri, 10 Jun 2005 02:43:33 +0000 (GMT) (envelope-from mpsouza@centroin.com.br) Received: from hypselo.centroin.com.br (hypselo.centroin.com.br [200.225.63.1]) by gorgo.centroin.com.br (8.12.10/8.12.9) with ESMTP id j5A2gTwq000419; Thu, 9 Jun 2005 23:42:34 -0300 (EST) Date: Thu, 9 Jun 2005 23:42:29 -0300 (EST) From: Marcelo Souza To: Karan Gupta In-Reply-To: <42A8F897.6060305@edgefocus.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: Re: help! Strange traffic X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2005 02:43:34 -0000 Hi, It seems that it's only SYN packets. Maybe someone is trying to use your machine as a gateway, or is only a misconfiguration. Review your policies to allow ONLY your internal network to use this machine as a gateway, and deny anything else. - Marcelo Souza On Thu, 9 Jun 2005, Karan Gupta wrote: |Hi | Im running a fBSD T1 router(a gatewat with a sangoma 514 csu/dsu card) |that performs dhcp, nat, ipfw firewall. |FreeBSD rtr-eee.eeee.com 4.8-RELEASE FreeBSD 4.8-RELEASE #4: Thu Jul 31 |04:47:04 PDT 2003 root@:/usr/src/sys/compile/GENERIC i386 | |Im seeing the following traffic on doing tcpdump on the external interface |01:12:15.875308 201.93.36.43.1913 > web.visp.ashosting.nl.http: S |1396310016:1396310016(0) win 16384 |01:12:15.876288 201.93.36.41.1587 > web.visp.ashosting.nl.http: S |802357248:802357248(0) win 16384 |01:12:15.885340 201.93.37.127.cuillamartin > web.visp.ashosting.nl.http: |S 1656750080:1656750080(0) win 16384 |01:12:15.886056 201.93.36.250.1194 > web.visp.ashosting.nl.http: S |1188954112:1188954112(0) win 16384 |01:12:15.886794 201.93.36.118.1613 > web.visp.ashosting.nl.http: S |474546176:474546176(0) win 16384 |01:12:15.887628 201.93.36.120.1135 > web.visp.ashosting.nl.http: S |224526336:224526336(0) win 16384 |01:12:15.895344 201.93.37.129.1073 > web.visp.ashosting.nl.http: S |5767168:5767168(0) win 16384 |01:12:15.896286 201.93.37.131.timbuktu-srv3 > |web.visp.ashosting.nl.http: S 2056323072:2056323072(0) win 16384 |01:12:15.905302 201.93.37.225.1341 > web.visp.ashosting.nl.http: S |2125070336:2125070336(0) win 16384 |01:12:15.906042 201.93.37.223.docstor > web.visp.ashosting.nl.http: S |1558642688:1558642688(0) win 16384 |01:12:15.915253 201.93.38.91.1842 > web.visp.ashosting.nl.http: S |1312751616:1312751616(0) win 16384 |01:12:15.916105 201.93.38.89.1326 > web.visp.ashosting.nl.http: S |1620377600:1620377600(0) win 16384 | |The 201.x.x.x is NOT from my local network. That would mean that |web.visp.ashosting.nl is being hosted on my network(weird!!)) ???? This |name doesnt resolve to any IP address either. How do i block this. I |tried blocking 201.93.0.0/16 but then the traffic started coming from |195.x.x.x | |Help!!!!!! | | |_______________________________________________ |freebsd-questions@freebsd.org mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-questions |To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" | - Marcelo