From owner-freebsd-questions@FreeBSD.ORG Mon Aug 27 19:56:39 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D04E616A41B for ; Mon, 27 Aug 2007 19:56:39 +0000 (UTC) (envelope-from modulok@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.227]) by mx1.freebsd.org (Postfix) with ESMTP id 7A41913C494 for ; Mon, 27 Aug 2007 19:56:39 +0000 (UTC) (envelope-from modulok@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so1102107nzf for ; Mon, 27 Aug 2007 12:56:38 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=TqbgKsUzWPLx8O/ZoNZH9ESWD4I5JrCQ3ilVjhxJbJeFvoi8drjXJlOaGoExA+uTwxI+th+P78hfUyPyHhUqhun4vkKMwq+SfHMFFmoMK3dNOXLhO/Gsd2SB0MiIR+xHa1J7qTu5vS6CIakJNOiz4Jk/tIv+SA07r1mEw6HjXc8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=aGShp+csTRnSK9KQHy5m5u/htVUvrs1UgrElVHqBkvkgmZOee5sAXejIIBUgc52AbOTk6NpcgHvw4ED/UzjgtOuaqlAKqgzqc7PtOPy7ktkpWWEe2YaInnu8lQbqHhnyOoPq/DaqS5WPPeifRxVPrR1K5TgQWcm4vO9fIggfiqA= Received: by 10.141.197.18 with SMTP id z18mr2997036rvp.1188244597504; Mon, 27 Aug 2007 12:56:37 -0700 (PDT) Received: by 10.140.170.12 with HTTP; Mon, 27 Aug 2007 12:56:37 -0700 (PDT) Message-ID: <64c038660708271256o40bb9babla3083a28c5b637a6@mail.gmail.com> Date: Mon, 27 Aug 2007 13:56:37 -0600 From: Modulok To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: What is a 'normal' amount of un-solicited connection attempts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Aug 2007 19:56:39 -0000 I'm new to the admin game and this is somewhat of a subjective question, so bear with me... I run a small network on a home/office broadband connection and I'm getting more than my fair share of un-solicited traffic (maybe) on what I believed to be in the "private address range," as per RFC 1918. I have ipfw(8) setup to block such traffic, but with the volume of traffic being blocked it makes me wonder if I mis-configured something or if the RFC is depricated or what not. All of my services work and all of my clients can access everything they need to both locally and remotely, but when I read through the ipfw(8) log files there is a plethora of traffic attempting to connect from "the Internet" on various ports from various addresses. Most in the 10.0.0.0/8 block. This is normal, but how much is normal? For example, here was an interesting one that's been hitting the log files pretty hard today. Note: "em1" is my Internet-facing interface, so the following is coming in from the Internet, (ipfw rule followed by log entry): 03401 1233 30036 deny log logamount 25 ip from 10.0.0.0/8 to any in via em1 Aug 27 13:03:16 kernel: ipfw: 3401 Deny UDP 10.20.0.2:67 255.255.255.255:68 in via em1 Aug 27 13:06:08 kernel: ipfw: limit 25 reached on entry 3401 It appears to be a dhcp or bootp broadcast...to the entire world? This is just one of many seemingly ridiculous entries. Did I miss something here? I'm new to the admin game, so I'm not sure what the 'norm' is as far as frequency of un-solicited and often humorous traffic. 10.0.0.0/8 is where probably 98% of the un-solicited traffic comes from. Is this just "normal"? If it's just me, I would almost feel better than to think there are that many mis-configure servers out there spewing out crap. What is "normal" for a small business connection and what does one do when there are a lot of repeated un-solicited connection attempts from a single source to your server? I had one day where I got something like 25 attempts to connect to port 22 (sshd) from a particular IP address somewhere in Romania (and we're nowhere near there). Sorry for the somewhat vague question. Just looking for general reassurances and advice, I suppose. -Modulok-