Date: 30 Dec 2001 17:22:22 -0600 From: James McNaughton <jtm63@enteract.com> To: "Joe & Fhe Barbish" <barbish@a1poweruser.com> Cc: "FBSD Questions" <questions@FreeBSD.ORG> Subject: Re: IPFW Security log? Message-ID: <86pu4w5m4x.fsf@jamestown.21stcentury.net> In-Reply-To: <LPBBIGIAAKKEOEJOLEGOEEMOCKAA.barbish@a1poweruser.com> References: <LPBBIGIAAKKEOEJOLEGOEEMOCKAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Joe & Fhe Barbish" <barbish@a1poweruser.com> writes:
> In my security log is see the following messages. I take it the 3300 is
> the rule line that generated the message. As you ca see rule 3300 does not
> have log option why is it being logged? I get a whole lot of these.
>
> Rule 5000 is just like the default rule, but I added log so I can see
> what is happening. I also have a lot of these. I have log limit set
> to 50 so my log is not flooded.
> I am using natd and 3300 is before the divert rule.
> 63.70.155.x is my ISP's dynamic address pool
>
> Is this attack traffic?
>
>
> /kernel: ipfw: 3300 Deny TCP 24.100.248.201:4957 63.70.155.125:21 in via
> tun0
> /kernel: ipfw: 3300 Deny TCP 61.13.119.100:1209 63.70.155.125:22 in via tun0
> /kernel: ipfw: 3300 Deny TCP 61.13.119.100:1209 63.70.155.125:22 in via tun0
> /kernel: ipfw: 5000 Deny UDP 208.206.15.4:520 63.70.155.114:520 in via tun0
>
It could be someone scanning your ports or trying to get ftp access to
your machine (the port 21) or ssh access (port 22). In the past there
were known vulnerabilities on some OS's for these services and it
seems script-kiddies keep trying them. AFAIK, the daemons have been
fixed in FreeBSD for known exploits. Since your firewall is catching
these probes they're probably nothing to get excited about.
However, the rule number from your rc.firewall excerpt doesn't seem to
be matching up with the network address from the log. Maybe you could
double check rc.firewall to make certain your rule numbers don't have
a duplicate and that you're really using that set of rules (e.g. rc.conf
is defining the desired value for firewall_type and it matches the
section of rc.firewall that you customized).
BTW, it is unecessary to define the rule numbers. As long as the rules
are added in the proper order the rule numbers auto-increment and
everything works out OK. It's not "wrong" to use the numbers, but it
does add another point of failure in the ipf setup.
>
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> # on the outside interface
> ${fwcmd} add 03300 deny ip from 0.0.0.0/8 to any via ${oif}
> ${fwcmd} add 03400 deny ip from 169.254.0.0/16 to any via ${oif}
> ${fwcmd} add 03500 deny ip from 192.0.2.0/24 to any via ${oif}
> ${fwcmd} add 03600 deny ip from 224.0.0.0/4 to any via ${oif}
> ${fwcmd} add 03700 deny ip from 240.0.0.0/4 to any via ${oif}
>
> # Everything else is denied by default so I added this to log all defaulted
> denies.
> ${fwcmd} add 05000 deny log logamount 50 ip from any to any
>
Best wishes...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86pu4w5m4x.fsf>