From owner-freebsd-security  Wed Feb  7 11:26:16 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dudley.dnc.net (dudley.dnc.net [206.58.127.16])
	by hub.freebsd.org (Postfix) with ESMTP id 98E3637B401
	for <freebsd-security@freebsd.org>; Wed,  7 Feb 2001 11:25:53 -0800 (PST)
Received: from netadmin (dialup-c5-30.pdx.or.uspops.net [207.189.165.30] (may be forged))
	by dudley.dnc.net (8.9.3/8.9.3) with SMTP id LAA80760
	for <freebsd-security@freebsd.org>; Wed, 7 Feb 2001 11:40:51 -0800 (PST)
	(envelope-from cdinsmore@vatyx.com)
Message-ID: <002301c0913d$8555d000$1717a8c0@netadmin>
From: "Casey Dinsmore" <cdinsmore@vatyx.com>
To: <freebsd-security@freebsd.org>
Subject: Interesting ipfw response
Date: Wed, 7 Feb 2001 11:38:15 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0020_01C090FA.75715800"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This is a multi-part message in MIME format.

------=_NextPart_000_0020_01C090FA.75715800
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I've had a couple interesting entries in my log lately and wonder if =
someone could shed some light on these. How is it that they are being =
rejected with rule number -1? If I am having a problem with a ipfw =
ruleset could someone offer recommendations to fix and prevent this? =20


Feb  4 14:25:22 axisintegrated /kernel: ipfw: -1 Refuse UDP =
64.80.89.149:27015 1.1.1.1:1261 in via de0
Feb  4 14:25:22 axisintegrated /kernel: ipfw: -1 Refuse UDP =
64.80.89.149:27015 1.1.1.1:1261 in via de0
Feb  6 09:24:31 axisintegrated /kernel: ipfw: -1 Refuse TCP =
207.189.165.105:12336 1.1.1.1:22866 in via de0
Feb  6 09:24:31 axisintegrated /kernel: ipfw: -1 Refuse TCP =
207.189.165.105:0 1.1.1.1:0 in via de0
Feb  6 09:24:38 axisintegrated /kernel: ipfw: -1 Refuse TCP =
207.189.165.105:12336 1.1.1.1:22871 in via de0
Feb  6 09:24:42 axisintegrated /kernel: ipfw: -1 Refuse TCP =
207.189.165.105:12336 1.1.1.1:23089 in via de0
Feb  6 09:24:42 axisintegrated /kernel: ipfw: -1 Refuse TCP =
207.189.165.105:0 1.1.1.1:0 in via de0
Feb  6 17:04:44 axisintegrated /kernel: ipfw: -1 Refuse TCP =
207.189.165.30:65533 1.1.1.1:256 in via de0
Feb  6 17:04:44 axisintegrated /kernel: ipfw: -1 Refuse TCP =
207.189.165.30:65533 1.1.1.1:1023 in via de0
Feb  6 17:04:44 axisintegrated /kernel: ipfw: -1 Refuse TCP =
207.189.165.30:0 1.1.1.1:0 in via de0


My ip was changed to 1.1.1.1 obviously and the scanner IP address was =
not changed to protect the guilty.


Thanks
Casey Dinsmore

------=_NextPart_000_0020_01C090FA.75715800
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>I've had a couple interesting entries =
in my log=20
lately and wonder if someone could shed some light on these. How is it =
that they=20
are being rejected with rule number -1? If I am having a problem with a =
ipfw=20
ruleset could someone offer recommendations to fix&nbsp;and prevent =
this?=20
&nbsp;</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT><FONT face=3DArial =
size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Feb&nbsp; 4 14:25:22 axisintegrated =
/kernel: ipfw:=20
-1 Refuse UDP 64.80.89.149:27015 1.1.1.1:1261 in via de0<BR>Feb&nbsp; 4 =
14:25:22=20
axisintegrated /kernel: ipfw: -1 Refuse UDP 64.80.89.149:27015 =
1.1.1.1:1261 in=20
via de0<BR>Feb&nbsp; 6 09:24:31 axisintegrated /kernel: ipfw: -1 Refuse =
TCP=20
207.189.165.105:12336 1.1.1.1:22866 in via de0<BR>Feb&nbsp; 6 09:24:31=20
axisintegrated /kernel: ipfw: -1 Refuse TCP 207.189.165.105:0 1.1.1.1:0 =
in via=20
de0<BR>Feb&nbsp; 6 09:24:38 axisintegrated /kernel: ipfw: -1 Refuse TCP=20
207.189.165.105:12336 1.1.1.1:22871 in via de0<BR>Feb&nbsp; 6 09:24:42=20
axisintegrated /kernel: ipfw: -1 Refuse TCP 207.189.165.105:12336 =
1.1.1.1:23089=20
in via de0<BR>Feb&nbsp; 6 09:24:42 axisintegrated /kernel: ipfw: -1 =
Refuse TCP=20
207.189.165.105:0 1.1.1.1:0 in via de0<BR>Feb&nbsp; 6 17:04:44 =
axisintegrated=20
/kernel: ipfw: -1 Refuse TCP 207.189.165.30:65533&nbsp;1.1.1.1:256 in =
via=20
de0<BR>Feb&nbsp; 6 17:04:44 axisintegrated /kernel: ipfw: -1 Refuse TCP=20
207.189.165.30:65533&nbsp;1.1.1.1:1023 in via de0<BR>Feb&nbsp; 6 =
17:04:44=20
axisintegrated /kernel: ipfw: -1 Refuse TCP 207.189.165.30:0 1.1.1.1:0 =
in via=20
de0</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>My ip&nbsp;was changed=20
to&nbsp;1.1.1.1&nbsp;obviously and the scanner IP address was not =
changed to=20
protect the guilty.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Thanks</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Casey =
Dinsmore</FONT></DIV></BODY></HTML>

------=_NextPart_000_0020_01C090FA.75715800--



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message