From owner-freebsd-questions@FreeBSD.ORG Sat Mar 28 15:19:06 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5D5CEB2C for ; Sat, 28 Mar 2015 15:19:06 +0000 (UTC) Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 17D52EA4 for ; Sat, 28 Mar 2015 15:19:06 +0000 (UTC) Received: by igcxg11 with SMTP id xg11so42031408igc.0 for ; Sat, 28 Mar 2015 08:19:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=1zXmtnN1wy3+zFeqhG2ojgUlqhmy1Q+vSbelkpHVVQs=; b=qCq7cZhXPElwelGSqmRfAt+cqwZXtzSkXwGaKTGqasa4z7X7xy9vyvIfr1jLeh606G 7hrs98R58Qorc/USdrkCji4TdnO+bhlgwh51pmJywEvdCrbvyN/apDZWF7R8KJ4G9KLG cWGdkv0C4HOYC2FYK7MwJmjUQy9cOq/2/t54Fl5le9pcLkGXI6/bpgdb0ejs6eqgDi05 /D8simIjyfqfV8E/zWEgNP8Cb6aCk20XDN1c5DzhmF7aAPsjCtywBSrcn0a62Gu7kvGN /7+1peIwuJGN+2Cmg+YMxVNCsT3s4EAB7IM1fJXz5fXH8uPZ5oLM0cGLum9yiZyKXGy6 kFeQ== X-Received: by 10.107.130.16 with SMTP id e16mr36209844iod.80.1427555945441; Sat, 28 Mar 2015 08:19:05 -0700 (PDT) Received: from [192.168.89.100] (192-171-49-199.cpe.pppoe.ca. [192.171.49.199]) by mx.google.com with ESMTPSA id d1sm3593405igr.20.2015.03.28.08.19.03 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 28 Mar 2015 08:19:04 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: ipfw question From: The Lost Admin In-Reply-To: <5516C210.6090806@hiwaay.net> Date: Sat, 28 Mar 2015 11:19:02 -0400 Message-Id: <07C9255C-5CDA-4C96-A227-EB28FC836BF5@gmail.com> References: <55122B21.60905@hiwaay.net> <55162284.6040806@hiwaay.net> <5516BB73.7010108@hiwaay.net> <26D37EC0-1C91-4009-A5C6-7B40CDE4099B@gmail.com> <5516BF68.9040806@hiwaay.net> <3782D86A-E280-4C01-B492-D1982D372808@gmail.com> <5516C210.6090806@hiwaay.net> To: "freebsd-questions@freebsd.org" X-Mailer: Apple Mail (2.1878.6) Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "William A. Mahaffey III" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Mar 2015 15:19:06 -0000 On Mar 28, 2015, at 11:00 AM, William A. Mahaffey III = wrote: > On 03/28/15 09:49, The Lost Admin wrote: >>=20 >> On Mar 28, 2015, at 10:49 AM, William A. Mahaffey III = wrote: >>=20 >>> On 03/28/15 09:37, The Lost Admin wrote: >>>>=20 >>>> On Mar 28, 2015, at 10:32 AM, William A. Mahaffey III = wrote: >>>>=20 >>>>> On 03/28/15 09:13, The Lost Admin wrote: >>>>>>=20 >>>>>>=20 >>>>>> On Mar 27, 2015, at 11:39 PM, William A. Mahaffey III = wrote: >>>>>>=20 >>>>>>> On 03/24/15 22:27, William A. Mahaffey III wrote: >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> I completed a full pkg upgrade & freebsd-update this A.M. & = rebooted. I notice the following in my /var/log/security file: >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> Feb 20 09:52:49 kabini1 kernel: ipfw: 65500 Deny UDP = 216.180.122.2:53 192.168.0.27:32830 in via re0 >>>>>>>> [CUT] >>>>>>>>=20 >>>>>>>> [root@kabini1, /etc, 10:26:29pm] 366 % ipfw show >>>>>>>> 00100 211446 127533786 allow ip from any to any via lo0 >>>>>>>> 00200 0 0 deny ip from any to 127.0.0.0/8 >>>>>>>> 00300 0 0 deny ip from 127.0.0.0/8 to any >>>>>>>> 00400 0 0 deny ip from any to ::1 >>>>>>>> 00500 0 0 deny ip from ::1 to any >>>>>>>> 00600 0 0 allow ipv6-icmp from :: to ff02::/16 >>>>>>>> 00700 0 0 allow ipv6-icmp from fe80::/10 to = fe80::/10 >>>>>>>> 00800 2 152 allow ipv6-icmp from fe80::/10 to = ff02::/16 >>>>>>>> 00900 0 0 allow ipv6-icmp from any to any ip6 = icmp6types 1 >>>>>>>> 01000 0 0 allow ipv6-icmp from any to any ip6 = icmp6types 2,135,136 >>>>>>>> 01100 0 0 check-state >>>>>>>> 01200 371 38801 allow tcp from me to any established >>>>>>>> 01300 131125 100329380 allow tcp from me to any setup = keep-state >>>>>>>> 01400 15375 1247143 allow udp from me to any keep-state >>>>>>>> 01500 0 0 allow icmp from me to any keep-state >>>>>>>> 01600 0 0 allow ipv6-icmp from me to any = keep-state >>>>>>>> 01700 0 0 allow udp from 0.0.0.0 68 to = 255.255.255.255 dst-port 67 out >>>>>>>> 01800 0 0 allow udp from any 67 to me dst-port 68 = in >>>>>>>> 01900 0 0 allow udp from any 67 to 255.255.255.255 = dst-port 68 in >>>>>>>> 02000 0 0 allow udp from fe80::/10 to me dst-port = 546 in >>>>>>>> 02100 0 0 allow icmp from any to any icmptypes 8 >>>>>>>> 02200 0 0 allow ipv6-icmp from any to any ip6 = icmp6types 128,129 >>>>>>>> 02300 3390 189852 allow icmp from any to any icmptypes = 3,4,11 >>>>>>>> 02400 0 0 allow ipv6-icmp from any to any ip6 = icmp6types 3 >>>>>>>> 02500 164 12060 allow tcp from 192.168.0.0/24 to me >>>>>>>> 02600 729 139344 allow udp from 192.168.0.0/24 513 to = 192.168.0.0/24 dst-port 513 >>>>>>>> 65000 2079 233849 count ip from any to any >>>>>>>> 65100 334 58174 deny { tcp or udp } from any to any = dst-port 111,137,138 in >>>>>>>> 65200 325 118875 deny { tcp or udp } from 192.168.0.0/24 = to me >>>>>>>> 65300 0 0 deny ip from any to 255.255.255.255 >>>>>>>> 65400 0 0 deny ip from any to 224.0.0.0/24 in >>>>>>>> 65500 0 0 deny udp from any to any dst-port 520 in >>>>>>>> 65500 0 0 deny tcp from any 80,443 to any dst-port = 1024-65535 in >>>>>>>> 65500 1420 56800 deny log logamount 5000 ip from any to = any >>>>>>>> 65535 0 0 deny ip from any to any >>>>>>>> [root@kabini1, /etc, 10:26:37pm] 367 % >>>>>>>>=20 >>>>>>>=20 >>>>>>>=20 >>>>>>> Anyone ? I'm over 5000 warnings, saw that in my messages file ? = What gives here ? >>>>>>>=20 >>>>>>> --=20 >>>>>>>=20 >>>>>> I could be wrong, but I think the 2nd column (1420) is the number = of packets (log entries generated by that line) and the second column is = the total bytes that those packets contained. >>>>>>=20 >>>>>> The Lost Admin >>>>>> thelostadmin@gmail.com >>>>>=20 >>>>> Thanks for your reply. I think you are correct, but I don't think = those are the problems here. After the last 'pkg upgrade' & = freebsd-update, *something* is broadcasting to 224.0.0.22 which wasn't = doing it before. I have had the above rules for months, & before the = upgrade, nothing was trying to broadcast. Now something is & it is = swamping ipfw logging to my messages file. Any clue what it is or how to = find it ? TIA & thanks again. >>>>>=20 >>>>> --=20 >>>>>=20 >>>>> William A. Mahaffey III >>>> I was answering the question about the 5000 log entries. I missed = the original question. >>>>=20 >>>> 224.0.0.22 is a multicast address used for IGMP (Internet Group = Management Protocol). You probably upgraded something = that has initiated some sort of multicast group request. >>>>=20 >>>>=20 >>>=20 >>> Hmmmmm .... OK, good by me. Any idea how to identify that something = that is now broadcasting (which wasn't before) :-) ? TIA & thanks again. >>>=20 >>> --=20 >>>=20 >>> William A. Mahaffey III >>>=20 >>> = ---------------------------------------------------------------------- >>>=20 >>> "The M1 Garand is without doubt the finest implement of war >>> ever devised by man." >>> -- Gen. George S. Patton Jr. >> Read the release notes of the things that got upgraded and see if any = of them introduced multicast for something. >>=20 >> Run a sniffer that is IGMP aware and see what=92s going on with those = packets. It=92s probably a request to be added to a multicast group or = an advertisement for one. >>=20 >=20 > What sniffer could you suggest ? I am new to the *BSD's :-/ .... >=20 > --=20 >=20 > William A. Mahaffey III >=20 > = ---------------------------------------------------------------------- >=20 > "The M1 Garand is without doubt the finest implement of war > ever devised by man." > -- Gen. George S. Patton Jr. Wireshark is pretty but requires X11. It also does a better job of = making the output understandable. tcpdump should be included in the base system and is text so works = without a GUI. You used to be able to take a tcpdump output file and = feed it to Wireshark for viewing.=