From owner-freebsd-stable Wed Aug 8 20:14:52 2001 Delivered-To: freebsd-stable@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id B872837B401 for ; Wed, 8 Aug 2001 20:14:47 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.4/8.11.4) with ESMTP id f793FeB87449 for ; Wed, 8 Aug 2001 23:15:40 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Wed, 8 Aug 2001 23:15:35 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD-Stable Subject: Re: Bridge? In-Reply-To: <3B6A7025.A5F8643F@home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 3 Aug 2001, Ted Sikora wrote: > Ha! an old one is back: > > Aug 2 20:07:36 dhcp-209-54-72-117 /kernel: arp: 192.168.1.1 is on ed0 > but got reply from 00:20:78:d4:a5:87 on dc0 > *********************************** WHO IS THIS?? > *********************************** > Aug 2 20:08:02 dhcp-209-54-72-117 last message repeated 2 times > Aug 2 20:10:00 dhcp-209-54-72-117 last message repeated 8 times > > I checked all my mac addreses .. IT'S NOT ON MY NETWORK! > Unfortunately I was using 192.168.1.1 I changed the network addresses > and so far it's quiet. That da** cable modem must be letting other users > in from my node.?? That or someone's leaking packets from their 192.168.0.0/16 to the outside world. I have a firewall rule to block inbound packets from private networks on my outside NIC. Conversely, after my natd divert rule, I have a rule to prevent my own private network traffic from leaking out. > I had this on one of my machines an attack?? > > Aug 2 10:03:08 dhcp-209-54-72-114 ftpd[424]: refused PORT > 9.100.139.211,1195 from sungold10.fr.ibm.com [194.196.100.115] > Aug 2 10:25:20 dhcp-209-54-72-114 ftpd[466]: refused PORT > 9.100.139.211,1213 from sungold10.fr.ibm.com [194.196.100.115] > Aug 2 10:45:15 dhcp-209-54-72-114 ftpd[479]: francess@fr.ibm.com of > sungold4.fr.ibm.com [194.196.100.100]: data connect from 194.196.100.101 > for /bin/ls > Aug 2 10:45:22 dhcp-209-54-72-114 ftpd[479]: francess@fr.ibm.com of > sungold4.fr.ibm.com [194.196.100.100]: data connect from 194.196.100.101 > for /bin/ls > Aug 2 10:46:12 dhcp-209-54-72-114 ftpd[485]: francess@fr.ibm.com of > sungold5.fr.ibm.com [194.196.100.101]: data connect from 194.196.100.114 > for /bin/ls > Aug 2 10:47:01 dhcp-209-54-72-114 ftpd[487]: francess@fr.ibm.com of > sungold9.fr.ibm.com [194.196.100.114]: data connect from 194.196.100.113 > for /bin/ls > Aug 2 10:47:58 dhcp-209-54-72-114 ftpd[489]: francess@fr.ibm.com of > sungold10.fr.ibm.com [194.196.100.115]: data connect from 194.196.100.99 > for /bin/ls > Aug 2 10:48:04 dhcp-209-54-72-114 ftpd[489]: francess@fr.ibm.com of > sungold10.fr.ibm.com [194.196.100.115]: data connect from > 194.196.100.101 for /bin/ls Possibly. Do you have ftpd running? If so, I'd shut it down. There's nothing you can do with ftpd that you can't do better with scp (or, if you must, sftp). -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message