From owner-freebsd-questions@FreeBSD.ORG Sat Mar 28 15:23:04 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 49501DE3 for ; Sat, 28 Mar 2015 15:23:04 +0000 (UTC) Received: from fly.hiwaay.net (fly.hiwaay.net [216.180.54.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0B503F65 for ; Sat, 28 Mar 2015 15:23:03 +0000 (UTC) Received: from kabini1.local (rbn1-216-180-76-46.adsl.hiwaay.net [216.180.76.46]) (authenticated bits=0) by fly.hiwaay.net (8.13.8/8.13.8/fly) with ESMTP id t2SFN1da007054 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sat, 28 Mar 2015 10:23:01 -0500 Message-ID: <5516C8CB.4050505@hiwaay.net> Date: Sat, 28 Mar 2015 10:29:15 -0500 From: "William A. Mahaffey III" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" Subject: Re: ipfw question References: <55122B21.60905@hiwaay.net> <55162284.6040806@hiwaay.net> <5516BB73.7010108@hiwaay.net> <26D37EC0-1C91-4009-A5C6-7B40CDE4099B@gmail.com> <5516BF68.9040806@hiwaay.net> <3782D86A-E280-4C01-B492-D1982D372808@gmail.com> <5516C210.6090806@hiwaay.net> <07C9255C-5CDA-4C96-A227-EB28FC836BF5@gmail.com> In-Reply-To: <07C9255C-5CDA-4C96-A227-EB28FC836BF5@gmail.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Mar 2015 15:23:04 -0000 On 03/28/15 10:19, The Lost Admin wrote: > On Mar 28, 2015, at 11:00 AM, William A. Mahaffey III wrote: > >> On 03/28/15 09:49, The Lost Admin wrote: >>> On Mar 28, 2015, at 10:49 AM, William A. Mahaffey III wrote: >>> >>>> On 03/28/15 09:37, The Lost Admin wrote: >>>>> On Mar 28, 2015, at 10:32 AM, William A. Mahaffey III wrote: >>>>> >>>>>> On 03/28/15 09:13, The Lost Admin wrote: >>>>>>> >>>>>>> On Mar 27, 2015, at 11:39 PM, William A. Mahaffey III wrote: >>>>>>> >>>>>>>> On 03/24/15 22:27, William A. Mahaffey III wrote: >>>>>>>>> >>>>>>>>> I completed a full pkg upgrade & freebsd-update this A.M. & rebooted. I notice the following in my /var/log/security file: >>>>>>>>> >>>>>>>>> >>>>>>>>> Feb 20 09:52:49 kabini1 kernel: ipfw: 65500 Deny UDP 216.180.122.2:53 192.168.0.27:32830 in via re0 >>>>>>>>> [CUT] >>>>>>>>> >>>>>>>>> [root@kabini1, /etc, 10:26:29pm] 366 % ipfw show >>>>>>>>> 00100 211446 127533786 allow ip from any to any via lo0 >>>>>>>>> 00200 0 0 deny ip from any to 127.0.0.0/8 >>>>>>>>> 00300 0 0 deny ip from 127.0.0.0/8 to any >>>>>>>>> 00400 0 0 deny ip from any to ::1 >>>>>>>>> 00500 0 0 deny ip from ::1 to any >>>>>>>>> 00600 0 0 allow ipv6-icmp from :: to ff02::/16 >>>>>>>>> 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 >>>>>>>>> 00800 2 152 allow ipv6-icmp from fe80::/10 to ff02::/16 >>>>>>>>> 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 >>>>>>>>> 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 >>>>>>>>> 01100 0 0 check-state >>>>>>>>> 01200 371 38801 allow tcp from me to any established >>>>>>>>> 01300 131125 100329380 allow tcp from me to any setup keep-state >>>>>>>>> 01400 15375 1247143 allow udp from me to any keep-state >>>>>>>>> 01500 0 0 allow icmp from me to any keep-state >>>>>>>>> 01600 0 0 allow ipv6-icmp from me to any keep-state >>>>>>>>> 01700 0 0 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out >>>>>>>>> 01800 0 0 allow udp from any 67 to me dst-port 68 in >>>>>>>>> 01900 0 0 allow udp from any 67 to 255.255.255.255 dst-port 68 in >>>>>>>>> 02000 0 0 allow udp from fe80::/10 to me dst-port 546 in >>>>>>>>> 02100 0 0 allow icmp from any to any icmptypes 8 >>>>>>>>> 02200 0 0 allow ipv6-icmp from any to any ip6 icmp6types 128,129 >>>>>>>>> 02300 3390 189852 allow icmp from any to any icmptypes 3,4,11 >>>>>>>>> 02400 0 0 allow ipv6-icmp from any to any ip6 icmp6types 3 >>>>>>>>> 02500 164 12060 allow tcp from 192.168.0.0/24 to me >>>>>>>>> 02600 729 139344 allow udp from 192.168.0.0/24 513 to 192.168.0.0/24 dst-port 513 >>>>>>>>> 65000 2079 233849 count ip from any to any >>>>>>>>> 65100 334 58174 deny { tcp or udp } from any to any dst-port 111,137,138 in >>>>>>>>> 65200 325 118875 deny { tcp or udp } from 192.168.0.0/24 to me >>>>>>>>> 65300 0 0 deny ip from any to 255.255.255.255 >>>>>>>>> 65400 0 0 deny ip from any to 224.0.0.0/24 in >>>>>>>>> 65500 0 0 deny udp from any to any dst-port 520 in >>>>>>>>> 65500 0 0 deny tcp from any 80,443 to any dst-port 1024-65535 in >>>>>>>>> 65500 1420 56800 deny log logamount 5000 ip from any to any >>>>>>>>> 65535 0 0 deny ip from any to any >>>>>>>>> [root@kabini1, /etc, 10:26:37pm] 367 % >>>>>>>>> >>>>>>>> >>>>>>>> Anyone ? I'm over 5000 warnings, saw that in my messages file ? What gives here ? >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>> I could be wrong, but I think the 2nd column (1420) is the number of packets (log entries generated by that line) and the second column is the total bytes that those packets contained. >>>>>>> >>>>>>> The Lost Admin >>>>>>> thelostadmin@gmail.com >>>>>> Thanks for your reply. I think you are correct, but I don't think those are the problems here. After the last 'pkg upgrade' & freebsd-update, *something* is broadcasting to 224.0.0.22 which wasn't doing it before. I have had the above rules for months, & before the upgrade, nothing was trying to broadcast. Now something is & it is swamping ipfw logging to my messages file. Any clue what it is or how to find it ? TIA & thanks again. >>>>>> >>>>>> -- >>>>>> >>>>>> William A. Mahaffey III >>>>> I was answering the question about the 5000 log entries. I missed the original question. >>>>> >>>>> 224.0.0.22 is a multicast address used for IGMP (Internet Group Management Protocol). You probably upgraded something that has initiated some sort of multicast group request. >>>>> >>>>> >>>> Hmmmmm .... OK, good by me. Any idea how to identify that something that is now broadcasting (which wasn't before) :-) ? TIA & thanks again. >>>> >>>> -- >>>> >>>> William A. Mahaffey III >>>> >>>> ---------------------------------------------------------------------- >>>> >>>> "The M1 Garand is without doubt the finest implement of war >>>> ever devised by man." >>>> -- Gen. George S. Patton Jr. >>> Read the release notes of the things that got upgraded and see if any of them introduced multicast for something. >>> >>> Run a sniffer that is IGMP aware and see what’s going on with those packets. It’s probably a request to be added to a multicast group or an advertisement for one. >>> >> What sniffer could you suggest ? I am new to the *BSD's :-/ .... >> >> -- >> >> William A. Mahaffey III >> >> ---------------------------------------------------------------------- >> >> "The M1 Garand is without doubt the finest implement of war >> ever devised by man." >> -- Gen. George S. Patton Jr. > Wireshark is pretty but requires X11. It also does a better job of making the output understandable. > > tcpdump should be included in the base system and is text so works without a GUI. You used to be able to take a tcpdump output file and feed it to Wireshark for viewing. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > Very well, I have wireshark already installed (this is a desktop box), I'll poke around & see what I find. Thanks :-). -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.