From owner-freebsd-questions@FreeBSD.ORG Sat Oct 16 15:19:10 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB14A16A4CE for ; Sat, 16 Oct 2004 15:19:09 +0000 (GMT) Received: from advmail.lsn.net (advmail.lsn.net [66.90.138.148]) by mx1.FreeBSD.org (Postfix) with ESMTP id 724DE43D46 for ; Sat, 16 Oct 2004 15:19:09 +0000 (GMT) (envelope-from norm@etherealconsulting.com) Received: from [127.0.0.1] (24-155-40-125.ip.grandenetworks.net [24.155.40.125]) by advmail.lsn.net (8.12.8/8.12.4) with ESMTP id i9GFJ30A002135; Sat, 16 Oct 2004 10:19:05 -0500 Message-ID: <41713BE4.2010700@etherealconsulting.com> Date: Sat, 16 Oct 2004 10:19:00 -0500 From: Norm Vilmer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Lowell Gilbert References: <41674DF5.4010409@etherealconsulting.com> <44y8idqhgk.fsf@be-well.ilk.org> In-Reply-To: <44y8idqhgk.fsf@be-well.ilk.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-AntiVirus: checked by Vexira Milter 1.0.6; VAE 6.28.0.3; VDF 6.28.0.20 cc: freebsd-questions@freebsd.org Subject: Re: Need help with IPFW rule X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Oct 2004 15:19:10 -0000 Lowell Gilbert wrote: > Norm Vilmer writes: > > >>I get this message (below) on the console of my FreeBSD 4.10 firewall: >> >>Connection attempt to TCP :20388 from 61.151.248.42:80 >>flags 0x12 >> >>It appears that this is getting through the firewall and is logged to >>the console because log_in_vain is 1. >> >>Question: What IPFW rule would block this without interfering with >>normal http traffic on port 80 (I have Apache running on the box and >>nat'd machines on the inside interface that access the Internet)? > > > In most peoples' configurations, this would be getting blocked by a > default block-all rule. The users' connection out on port 80 would be > accepted by a rule that is specific to the outgoing direction, and > incoming packets on those connections would be accepted by either > keeping state or by letting in only non-SYN packets. > I added log statements to every ipfw rule last night and ran tethereal against my public interface to get more info on what is happening. It looks like rule 600 is letting the connection attempts through before it gets to the deny all rule. Here's what rule 600 looks like: ${cmd} add 600 pass log tcp from any to any established Here's the console messages from log_in_vain: Oct 16 00:03:42 mother /kernel: Oct 16 00:03:42 mother /kernel: Connection attempt to TCP <>:3672 from 69.93.197.98:80 flags:0x12 Oct 16 01:47:34 mother /kernel: Oct 16 01:47:34 mother /kernel: Connection attempt to TCP <>:22813 from 69.93.197.98:80 flags:0x12 Oct 16 01:59:35 mother /kernel: Oct 16 01:59:35 mother /kernel: Connection attempt to TCP <>:25475 from 69.93.197.98:80 flags:0x12 Oct 16 02:14:23 mother /kernel: Oct 16 02:14:23 mother /kernel: Connection attempt to TCP <>:14512 from 69.93.197.98:80 flags:0x12 Here's the IPFW logs: Oct 16 00:03:42 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80 <>:3672 in via tun0 Oct 16 01:47:34 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80 <>:22813 in via tun0 Oct 16 01:59:35 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80 <>:25475 in via tun0 Oct 16 02:14:23 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80 <>:14512 in via tun0 Here's the tethereal output: 74 1132.587912 69.93.197.98 -> <> TCP http > 3672 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 238 7364.391310 69.93.197.98 -> <> TCP http > 22813 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 259 8085.745452 69.93.197.98 -> <> TCP http > 25475 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 270 8973.898736 69.93.197.98 -> <> TCP http > 14512 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 I am stumped, how can I block these packets? Is the person sending the packets trying to get packets through as established when they are really not? Why? Is this a threat?