Date: Sat, 29 Mar 2003 19:19:53 +0200 From: Dancho Penev <dpenev@mail.bg> To: Walter <walterk1@earthlink.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw question Message-ID: <20030329171953.GA512@earth.dpsca.bg> In-Reply-To: <3E846B78.10607@earthlink.net> References: <3E846B78.10607@earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 28, 2003 at 10:34:16AM -0500, Walter wrote: >Date: Fri, 28 Mar 2003 10:34:16 -0500 >From: Walter <walterk1@earthlink.net> >To: Questions <freebsd-questions@FreeBSD.org> >Subject: ipfw question > >Hi all, > > I see a strange entry in my mail log from the >ipfw log output. I don't really have a firm grasp >on ipfw yet and need help understanding how this >log entry came about (17 times), below: > > > ipfw: 1700 Deny TCP 0.0.0.0:80 192.168.xxx.xxx:49339 in via fxp0 > >The output of "ipfw list" starts as: > >00100 allow ip from any to any via lo0 >00200 deny log logamount 100 ip from any to 127.0.0.0/8 >00300 deny log logamount 100 ip from 192.168.1.0/24 to any in recv fxp0 >00400 deny log logamount 100 ip from 24.170.166.0/24 to any in recv ep0 >00500 deny log logamount 100 ip from any to 10.0.0.0/8 via fxp0 >00600 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0 >00700 deny log logamount 100 ip from any to 192.168.0.0/16 via fxp0 >00800 deny log logamount 100 ip from any to 0.0.0.0/8 via fxp0 >00900 deny log logamount 100 ip from any to 169.254.0.0/16 via fxp0 >01000 deny log logamount 100 ip from any to 192.0.2.0/24 via fxp0 >01100 deny log logamount 100 ip from any to 224.0.0.0/4 via fxp0 >01200 deny log logamount 100 ip from any to 240.0.0.0/4 via fxp0 >01300 divert 8668 ip from any to any via fxp0 >01400 deny log logamount 100 ip from 10.0.0.0/8 to any via fxp0 >01500 deny log logamount 100 ip from 172.16.0.0/12 to any via fxp0 >01600 deny log logamount 100 ip from 192.168.0.0/16 to any via fxp0 >01700 deny log logamount 100 ip from 0.0.0.0/8 to any via fxp0 >01800 deny log logamount 100 ip from 169.254.0.0/16 to any via fxp0 >01900 deny log logamount 100 ip from 192.0.2.0/24 to any via fxp0 >02000 deny log logamount 100 ip from 224.0.0.0/4 to any via fxp0 >02100 deny log logamount 100 ip from 240.0.0.0/4 to any via fxp0 ><remaining omitted> > >My question is how come rule 00700 did not kick out the >prober, rather falling to rule 01700?? I realize the log Because the original packet was from 0.0.0.0 to YOUR_PUBLIC_IP and natd (rule 1300) rewrite destination address YOUR_PUBLIC_IP with your private IP address. You should have to find who sends this kind of packets from your net to outside world, because they are not very regular. >amounts are limited, but how did rule 01700 get activated >when rule 00700, seems to me, should have knocked out the >packet? Is this evidence of someone having broken into my >FBSD router, as there are no other entries I've seen to >other possible internal IP's, or was someone just lucky? > >Thanks. > >Walter > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Regards, Dancho Penev
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030329171953.GA512>