From owner-freebsd-security Fri Jun 22 15:17:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from router.drapple.com (c1024475-b.salem1.or.home.com [24.10.78.207]) by hub.freebsd.org (Postfix) with ESMTP id AD80E37B401 for ; Fri, 22 Jun 2001 15:17:53 -0700 (PDT) (envelope-from mark@work.drapple.com) Received: from work.drapple.com (work [192.168.1.10]) by router.drapple.com (8.9.3/8.9.3) with ESMTP id PAA64558; Fri, 22 Jun 2001 15:23:02 -0700 (PDT) (envelope-from mark@work.drapple.com) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20010622220312.PZQH9852.mta11.onebox.com@onebox.com> Date: Fri, 22 Jun 2001 15:19:13 -0700 (PDT) From: Mark Hartley To: Kris Anderson Subject: RE: IPF rule response Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 22-Jun-01 Kris Anderson wrote: > Howdy folks, > > I've got a rule in my ipf that is reporting the following to syslog > > : <2>Jun 22 14:51:34 /kernel: ipfw: 3 Deny TCP 195.224.212.72:21 > :21 in via rl0 > > I have limited understanding but it looks like that some bonehead on > the 195. network is doing some sort of goofy ftp thing to my public_if, > almost as if it was ftp relaying. > > Could somebody unconfuse me as to what this means? > > Thanks. > I get that frequently. My take on it is that it is someone trying to bypass a firewall rule that allows anything from port 21, which some people's firewalls are set to do (since ftp is such a pain to firewall) Mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message