From owner-freebsd-security Wed Feb 21 18:32: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 2EC9137B401 for ; Wed, 21 Feb 2001 18:31:56 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id F2B10211A; Wed, 21 Feb 2001 21:31:39 -0500 (EST) MIME-Version: 1.0 Message-Id: <3A947A0B.000099.29931@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_RC050TY66ERNTT4D7TH0" To: freebsd-security@freebsd.org Subject: Odd firewall messages From: "Michael Richards" X-Fastmail-IP: 24.156.176.65 Date: Wed, 21 Feb 2001 21:31:39 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_RC050TY66ERNTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Aside from my bind problems, I finally got a firewall up and running for our servers. The ipfilter rules catching the odd packets are: # Nasty Packets: # Block any packets which are too short to be real. block in log quick all with short # Block any packets with source routing set block in log quick all with opt lsrr block in log quick all with opt ssrr # block any traffic claiming to be from an RFC reserved IP space block in log quick on xl1 from 192.168.0.0/16 to any block in log quick on xl1 from 172.16.0.0/12 to any block in log quick on xl1 from 10.0.0.0/8 to any # block localhost type IPs block in log quick on xl1 from 127.0.0.0/8 to any # block anything claiming to be a '0.x.x.x' block in log quick on xl1 from 0.0.0.0/8 to any # block IANA IPs reserved for use in auto-configuration block in log quick on xl1 from 169.254.0.0/16 to any # block IPs reserved for documentation authors block in log quick on xl1 from 192.0.2.0/24 to any # reserved SUN IPs for private cluster interlocks block in log quick on xl1 from 204.152.64.0/23 to any # multicast traffic block in log quick on xl1 from 224.0.0.0/3 to any Now I seem to be getting a number of weird packets presumably probing my machine for various open ports: 21/02/2001 04:51:05.250782 2x xl1 @0:6 b 10.0.0.1,137 -> x.x.x.x,137 PR udp len 20 19968 IN 21/02/2001 04:51:05.357334 xl1 @0:4 b 192.168.0.1,137 -> x.x.x.x,137 PR udp len 20 19968 IN 21/02/2001 05:08:04.033088 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 PR udp len 20 19968 IN 21/02/2001 05:08:05.529631 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 PR udp len 20 19968 IN 21/02/2001 05:08:07.033451 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 PR udp len 20 19968 IN 21/02/2001 05:30:15.651130 xl1 @0:1 b 205.188.246.17,46666 -> x.x.x.x,25 PR tcp len 20 7168 - IN 21/02/2001 06:05:22.220902 xl1 @0:6 b 10.23.32.72,39666 -> x.x.x.x,25 PR tcp len 20 10240 -A IN I haven't figured out what the last 2 log entries are or do only because I haven't read into the docs far enough yet. The thing I find curious is the first set of packets. These are coming from RFC reserved IP addresses. Why on earth would I probe you using a return address of 10.0.0.1 because I probably won't ever get a response. Before the firewall was plugged in (it had a bypass during setup and testing) I presume that the response for these packets were just fired back and filtered out somewhere. Since rule #2 and #3 do not seem to be firing I assume they are not source routed so as to have the return source pass through the attacking machine. Anyone have any wisdom when it comes to decoding what I'm seeing here? thanks -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_RC050TY66ERNTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message