Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Nov 2001 12:44:36 -0500
From:      "Danny" <eyezonme@gmx.net>
To:        <freebsd-security@freebsd.org>
Subject:   Ipfw + bpf interaction
Message-ID:  <000e01c17834$5cf1d670$020144c0@danny>

next in thread | raw e-mail | index | archive | help

I've been experimenting with ipfw to horde off the hundreds of attempted
http requests per day (primarily all from @home customers) which I
suspect to be part of some lingering worm/ddos. My question is if a
connection attempt will still be recorded by clog(8) if the source IP is
blocked by ipfw? The reason I ask is because I am still seeing
connection attempts in the network log from a specific IP belonging to a
class B network which I thought I had blocked. The syntax for the rule I
used was:

	ipfw add deny log logamount 500 ip from 67.161.0.0:255.255.0.0
to my.ip.address 

The rule seems to be added to ipfw's rule set, which for my box is as
follows:

	00050 1915738 1315695882 divert 8668 ip from any to any via ep1
	00100    3360    1384342 allow ip from any to any via lo0
	00200       0          0 deny ip from any to 127.0.0.0/8
	00300       0          0 deny ip from 127.0.0.0/8 to any
	00400    1596      65772 deny log logamount 500 ip from
another.bad.host to my.ip.address
	00500       0          0 deny log logamount 500 ip from
67.161.0.0/16 to my.ip.address
	65535 3795144 2623014796 allow ip from any to any

The firewall blocks 'another.bad.host' without any problems, at least
according to the ipfw logs, but I am still seeing connections from the
67.161.0.0 subnet (where all the connections are coming from) in the
clog logs (that's fun to say). Do there seem to be any flaws in this
particular rule set? This is not intended to be a integral firewall,
just simply one to block some of the nuisances that have recently been
afflicting a machine on my network. Thanks for any pointers.

	Danny McQuade



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000e01c17834$5cf1d670$020144c0>