Date: Fri, 18 Jun 2004 12:49:27 -0400 From: "JJB" <Barbish3@adelphia.net> To: "Robert Downes" <nullentropy@lineone.net>, <freebsd-ipfw@freebsd.org> Subject: RE: Blocked outbound traffic - what is it? Message-ID: <MIEPLLIBMLEEABPDBIEGAECLGDAA.Barbish3@adelphia.net> In-Reply-To: <40D3106A.9030403@lineone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Those web sites are ms/windows spyware reporting home about where you browse. Just type those ip address into your browser and you will see dubble-click banner page. Your ipfw rules are doing there thing of not allowing those ms/windows spyware do their thing. >From your ipfw log I would say the ms/windows box you are using is compromised. Looks to me like you have email virus and spyware on that box. Ipfw is working just fine. Use nslookup ipaddress from FBSD command line to checkout out those loged ip address next time. The ip address of the 110 packet is not your ISP's pop3 email server I bet. By the way there are 2 examples in the archive email you referenced and you have made your own changes to one of them so they have no meaning to what you are using on your box. People need to see what YOU are running not some generic sample. Just for your education next time you have problem. And blow away your ms/windows system and reinstall to get known clean system and all those outbound log records will stop happening. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Robert Downes Sent: Friday, June 18, 2004 11:55 AM To: freebsd-ipfw@freebsd.org Subject: Re: Blocked outbound traffic - what is it? Matthew McGehrin wrote: >You need to post your ruleset to the list along with some of your log's, or >your not going to get a response. > The ruleset is the one posted to this list recently: http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2004-June/001182 .html and some of the output of `cat /var/log/security | grep out`: Jun 18 15:32:37 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3066 64.158.223.128:80 out via rl0 Jun 18 16:03:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3113 216.136.173.10:110 out via rl0 Jun 18 16:07:56 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3118 213.189.140.44:80 out via rl0 Jun 18 16:09:45 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3123 216.136.173.10:110 out via rl0 Jun 18 16:23:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3136 216.136.173.10:110 out via rl0 Jun 18 16:31:53 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 65.59.207.13:80 out via rl0 Jun 18 16:31:58 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 65.59.207.13:80 out via rl0 These are just a few of many similar entries. The requests to port 110 are to a legitimate mail server. The requests to port 80 seem to be to banner-ad addresses, and to addresses that are legitimate but are not the same IP as the original browser request. But my point is: what feature of these packets is making them fail the filter, and why do I not seem to be missing anything on the pages (such as banner ads) even though requests are being blocked? If it's perfectly reasonable for these packets to be denied, then I'm happy with that. But I'm worried that something important is being killed on the spot. (Even though I can't work out what.) -- Bob _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGAECLGDAA.Barbish3>