From owner-freebsd-security Wed Nov 28 10:31:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from ezri.unstable.org (209-122-104-39.c3-0.crm-ubr1.crm.ny.cable.rcn.com [209.122.104.39]) by hub.freebsd.org (Postfix) with ESMTP id 731DC37B416 for ; Wed, 28 Nov 2001 10:31:01 -0800 (PST) Received: by ezri.unstable.org (Postfix, from userid 1000) id C73D0E6DF; Wed, 28 Nov 2001 13:30:56 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by ezri.unstable.org (Postfix) with ESMTP id C1607E6DE; Wed, 28 Nov 2001 13:30:56 -0500 (EST) Date: Wed, 28 Nov 2001 13:30:56 -0500 (EST) From: klik To: Danny Cc: Subject: Re: Ipfw + bpf interaction In-Reply-To: <000e01c17834$5cf1d670$020144c0@danny> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Put those deny statments before your divert rule On Wed, 28 Nov 2001, Danny wrote: > Date: Wed, 28 Nov 2001 12:44:36 -0500 > From: Danny > To: freebsd-security@freebsd.org > Subject: Ipfw + bpf interaction > > > I've been experimenting with ipfw to horde off the hundreds of attempted > http requests per day (primarily all from @home customers) which I > suspect to be part of some lingering worm/ddos. My question is if a > connection attempt will still be recorded by clog(8) if the source IP is > blocked by ipfw? The reason I ask is because I am still seeing > connection attempts in the network log from a specific IP belonging to a > class B network which I thought I had blocked. The syntax for the rule I > used was: > > ipfw add deny log logamount 500 ip from 67.161.0.0:255.255.0.0 > to my.ip.address > > The rule seems to be added to ipfw's rule set, which for my box is as > follows: > > 00050 1915738 1315695882 divert 8668 ip from any to any via ep1 > 00100 3360 1384342 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 1596 65772 deny log logamount 500 ip from > another.bad.host to my.ip.address > 00500 0 0 deny log logamount 500 ip from > 67.161.0.0/16 to my.ip.address > 65535 3795144 2623014796 allow ip from any to any > > The firewall blocks 'another.bad.host' without any problems, at least > according to the ipfw logs, but I am still seeing connections from the > 67.161.0.0 subnet (where all the connections are coming from) in the > clog logs (that's fun to say). Do there seem to be any flaws in this > particular rule set? This is not intended to be a integral firewall, > just simply one to block some of the nuisances that have recently been > afflicting a machine on my network. Thanks for any pointers. > > Danny McQuade > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message