From owner-freebsd-questions@FreeBSD.ORG Sat Mar 29 09:19:59 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4986637B401 for ; Sat, 29 Mar 2003 09:19:59 -0800 (PST) Received: from mail.bg (ip220-81.mnet.bg [193.110.220.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E15343F93 for ; Sat, 29 Mar 2003 09:19:55 -0800 (PST) (envelope-from dpenev@mail.bg) Received: from mail.bg (localhost. [127.0.0.1]) by mail.bg (8.12.8/8.12.7) with ESMTP id h2THJwh9001656; Sat, 29 Mar 2003 19:20:01 +0200 (EET) (envelope-from dpenev@mail.bg) Received: (from dpenev@localhost) by mail.bg (8.12.8/8.12.8/Submit) id h2THJrSB001655; Sat, 29 Mar 2003 19:19:53 +0200 (EET) Date: Sat, 29 Mar 2003 19:19:53 +0200 From: Dancho Penev To: Walter Message-ID: <20030329171953.GA512@earth.dpsca.bg> Mail-Followup-To: Walter , freebsd-questions@FreeBSD.ORG References: <3E846B78.10607@earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <3E846B78.10607@earthlink.net> User-Agent: Mutt/1.4i cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2003 17:20:01 -0000 On Fri, Mar 28, 2003 at 10:34:16AM -0500, Walter wrote: >Date: Fri, 28 Mar 2003 10:34:16 -0500 >From: Walter >To: Questions >Subject: ipfw question > >Hi all, > > I see a strange entry in my mail log from the >ipfw log output. I don't really have a firm grasp >on ipfw yet and need help understanding how this >log entry came about (17 times), below: > > > ipfw: 1700 Deny TCP 0.0.0.0:80 192.168.xxx.xxx:49339 in via fxp0 > >The output of "ipfw list" starts as: > >00100 allow ip from any to any via lo0 >00200 deny log logamount 100 ip from any to 127.0.0.0/8 >00300 deny log logamount 100 ip from 192.168.1.0/24 to any in recv fxp0 >00400 deny log logamount 100 ip from 24.170.166.0/24 to any in recv ep0 >00500 deny log logamount 100 ip from any to 10.0.0.0/8 via fxp0 >00600 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0 >00700 deny log logamount 100 ip from any to 192.168.0.0/16 via fxp0 >00800 deny log logamount 100 ip from any to 0.0.0.0/8 via fxp0 >00900 deny log logamount 100 ip from any to 169.254.0.0/16 via fxp0 >01000 deny log logamount 100 ip from any to 192.0.2.0/24 via fxp0 >01100 deny log logamount 100 ip from any to 224.0.0.0/4 via fxp0 >01200 deny log logamount 100 ip from any to 240.0.0.0/4 via fxp0 >01300 divert 8668 ip from any to any via fxp0 >01400 deny log logamount 100 ip from 10.0.0.0/8 to any via fxp0 >01500 deny log logamount 100 ip from 172.16.0.0/12 to any via fxp0 >01600 deny log logamount 100 ip from 192.168.0.0/16 to any via fxp0 >01700 deny log logamount 100 ip from 0.0.0.0/8 to any via fxp0 >01800 deny log logamount 100 ip from 169.254.0.0/16 to any via fxp0 >01900 deny log logamount 100 ip from 192.0.2.0/24 to any via fxp0 >02000 deny log logamount 100 ip from 224.0.0.0/4 to any via fxp0 >02100 deny log logamount 100 ip from 240.0.0.0/4 to any via fxp0 > > >My question is how come rule 00700 did not kick out the >prober, rather falling to rule 01700?? I realize the log Because the original packet was from 0.0.0.0 to YOUR_PUBLIC_IP and natd (rule 1300) rewrite destination address YOUR_PUBLIC_IP with your private IP address. You should have to find who sends this kind of packets from your net to outside world, because they are not very regular. >amounts are limited, but how did rule 01700 get activated >when rule 00700, seems to me, should have knocked out the >packet? Is this evidence of someone having broken into my >FBSD router, as there are no other entries I've seen to >other possible internal IP's, or was someone just lucky? > >Thanks. > >Walter > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Regards, Dancho Penev