Date: Tue, 1 Jan 2002 18:44:54 -0800 (PST) From: Brian Whalen <bri@sonicboom.org> To: Joe Clarke <marcus@marcuscom.com> Cc: Joe & Fhe Barbish <barbish@a1poweruser.com>, FBSD Questions <questions@FreeBSD.ORG> Subject: RE: IPFW UDP port# 520 Message-ID: <20020101184245.O4288-100000@5131-073-209.015.popsite.net> In-Reply-To: <1009936578.16477.13.camel@shumai.marcuscom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
True, since he is concerned about log reduction, permit sourceip 520 to any, and that'll do it. If there is no gated, routed or anything like that running, its not that critical. You could always grep -v that sourceip.520 strinf to see what else is there.. Brian "Sonic" Whalen Success = Preparation + Opportunity On 1 Jan 2002, Joe Clarke wrote: > On Tue, 2002-01-01 at 19:47, Joe & Fhe Barbish wrote: > > All ready tried the obvious. Does not work. This packet > > still drops through to the default end. Any other ideas? > > RIP routes are sent to the broadcast address (255.255.255.255). If you > want to allow them through, you need to make sure your destination > address is 255.255.255.255. > > Now, when you do get the packets coming through, you should sniff them > to see what the upstream router is sending. Chances are it's just a > default route (a 0.0.0.0 route). You can probably safely ignore those > routes unless your ISP is depending on you seeing them to know who your > default router is. > > Joe > > > > > > > -----Original Message----- > > From: owner-freebsd-questions@FreeBSD.ORG > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Brian Whalen > > Sent: Tuesday, January 01, 2002 7:12 PM > > To: Joe & Fhe Barbish > > Cc: FBSD Questions > > Subject: RE: IPFW UDP port# 520 > > > > look at your rc.conf to see which ruleset is being loaded, by default its > > one of the sets out of /etc/rc.firewall. > > You quoted 208.203.25.3:520 63.163.61.14:520 as the example, perhaps > > > > ${fwcmd} add pass udp from 208.203.25.3 520 to 63.163.61.14 520 > > > > is what you need? > > > > Brian "Sonic" Whalen > > Success = Preparation + Opportunity > > > > > > On Tue, 1 Jan 2002, Joe & Fhe Barbish wrote: > > > > > I know where my rules live. > > > What I need to find out is > > > What ipfw rules do I need to add to my rules list to provide the > > > correct response to make that router happy and shut up? > > > > > > > > > -----Original Message----- > > > From: Brian Whalen [mailto:bri@sonicboom.org] > > > Sent: Tuesday, January 01, 2002 6:29 PM > > > To: Joe & Fhe Barbish > > > Cc: FBSD Questions > > > Subject: RE: IPFW UDP port# 520 > > > > > > Look at your /etc/rc.conf to see what firewall file is being loaded and > > > edit that file. Are you using the simple, client, or another setup? > > > > > > Brian "Sonic" Whalen > > > Success = Preparation + Opportunity > > > > > > > > > On Tue, 1 Jan 2002, Joe & Fhe Barbish wrote: > > > > > > > I did not put the real IP address in the post, just changed > > > > the numbers to protect myself. > > > > The ISP real IP address does do a reverse dns ok. > > > > > > > > This machine is a virgin install of FBSD never been connected to > > > > the internet without firewall. There's no way that the Ripper > > > > Trojan could have infested my box. The 520's I am receiving can > > > > Only be from my ISP's router. > > > > > > > > What ipfw rules do I need to respond to make that router > > > > happy and shut up? > > > > > > > > > > > > -----Original Message----- > > > > From: Brian Whalen [mailto:bri@sonicboom.org] > > > > Sent: Tuesday, January 01, 2002 4:36 PM > > > > To: Joe & Fhe Barbish > > > > Cc: FBSD Questions > > > > Subject: Re: IPFW UDP port# 520 > > > > > > > > Well I'd be a little suspicious due to the lack of a reverse dns entry > > for > > > > that ip. According to arin, that ip belongs to Alexia Internet. This > > > > your isp? Is that ip your gsteway for traffic back out? > > > > > > > > Brian "Sonic" Whalen > > > > Success = Preparation + Opportunity > > > > > > > > > > > > On Tue, 1 Jan 2002, Joe & Fhe Barbish wrote: > > > > > > > > > Happy new year to all FBSD list readers. > > > > > > > > > > I see in my security log a lot of denied packets over and > > > > > over again of the same kind. > > > > > > > > > > Deny UDP 208.203.25.3:520 63.163.61.14:520 in via tun0 > > > > > > > > > > 208.203.25.3 is my ISP's IP address and 63.163.61.14 is my IP address. > > > > > > > > > > When I lookup what port 520 is it says a local routing process > > > > > or Trojan Ripper. I think it's my ISP's front door router > > > > > inquiring if I am still there. > > > > > Since my firewall is denying the request it just keeps repeating. > > > > > > > > > > How can I be sure It's my ISP's router and not the Ripper Trojan? > > > > > > > > > > What rules do I need the add to my IPFW rules set to resolve this? > > > > > > > > > > Thanks > > > > > > > > > > Joe > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020101184245.O4288-100000>