Date: Sat, 16 Oct 2004 10:19:00 -0500 From: Norm Vilmer <norm@etherealconsulting.com> To: Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com> Cc: freebsd-questions@freebsd.org Subject: Re: Need help with IPFW rule Message-ID: <41713BE4.2010700@etherealconsulting.com> In-Reply-To: <44y8idqhgk.fsf@be-well.ilk.org> References: <41674DF5.4010409@etherealconsulting.com> <44y8idqhgk.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Lowell Gilbert wrote: > Norm Vilmer <norm@etherealconsulting.com> writes: > > >>I get this message (below) on the console of my FreeBSD 4.10 firewall: >> >>Connection attempt to TCP <my public ip>:20388 from 61.151.248.42:80 >>flags 0x12 >> >>It appears that this is getting through the firewall and is logged to >>the console because log_in_vain is 1. >> >>Question: What IPFW rule would block this without interfering with >>normal http traffic on port 80 (I have Apache running on the box and >>nat'd machines on the inside interface that access the Internet)? > > > In most peoples' configurations, this would be getting blocked by a > default block-all rule. The users' connection out on port 80 would be > accepted by a rule that is specific to the outgoing direction, and > incoming packets on those connections would be accepted by either > keeping state or by letting in only non-SYN packets. > I added log statements to every ipfw rule last night and ran tethereal against my public interface to get more info on what is happening. It looks like rule 600 is letting the connection attempts through before it gets to the deny all rule. Here's what rule 600 looks like: ${cmd} add 600 pass log tcp from any to any established Here's the console messages from log_in_vain: Oct 16 00:03:42 mother /kernel: Oct 16 00:03:42 mother /kernel: Connection attempt to TCP <<my public ip>>:3672 from 69.93.197.98:80 flags:0x12 Oct 16 01:47:34 mother /kernel: Oct 16 01:47:34 mother /kernel: Connection attempt to TCP <<my public ip>>:22813 from 69.93.197.98:80 flags:0x12 Oct 16 01:59:35 mother /kernel: Oct 16 01:59:35 mother /kernel: Connection attempt to TCP <<my public ip>>:25475 from 69.93.197.98:80 flags:0x12 Oct 16 02:14:23 mother /kernel: Oct 16 02:14:23 mother /kernel: Connection attempt to TCP <<my public ip>>:14512 from 69.93.197.98:80 flags:0x12 Here's the IPFW logs: Oct 16 00:03:42 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80 <<my public ip>>:3672 in via tun0 Oct 16 01:47:34 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80 <<my public ip>>:22813 in via tun0 Oct 16 01:59:35 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80 <<my public ip>>:25475 in via tun0 Oct 16 02:14:23 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80 <<my public ip>>:14512 in via tun0 Here's the tethereal output: 74 1132.587912 69.93.197.98 -> <<my public ip>> TCP http > 3672 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 238 7364.391310 69.93.197.98 -> <<my public ip>> TCP http > 22813 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 259 8085.745452 69.93.197.98 -> <<my public ip>> TCP http > 25475 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 270 8973.898736 69.93.197.98 -> <<my public ip>> TCP http > 14512 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 I am stumped, how can I block these packets? Is the person sending the packets trying to get packets through as established when they are really not? Why? Is this a threat?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41713BE4.2010700>