From owner-freebsd-stable  Thu Oct  4 13:56:43 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120])
	by hub.freebsd.org (Postfix) with ESMTP
	id A673337B403; Thu,  4 Oct 2001 13:56:37 -0700 (PDT)
Received: from blossom.cjclark.org (dialup-209.245.132.25.Dial1.SanJose1.Level3.net [209.245.132.25])
	by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id NAA06579;
	Thu, 4 Oct 2001 13:56:31 -0700 (PDT)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id f94KuQ001566;
	Thu, 4 Oct 2001 13:56:26 -0700 (PDT)
	(envelope-from cjc)
Date: Thu, 4 Oct 2001 13:56:26 -0700
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Bill Moran <wmoran@iowna.com>
Cc: "Robin P. Blanchard" <Robin_Blanchard@gactr.uga.edu>,
	stable@FreeBSD.ORG, questions@FreeBSD.ORG
Subject: Re: ipfilter/ipnat question
Message-ID: <20011004135626.F297@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <3BBC56A5.CA8F47E4@gactr.uga.edu> <01100408440601.01917@proxy.the-i-pa.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <01100408440601.01917@proxy.the-i-pa.com>; from wmoran@iowna.com on Thu, Oct 04, 2001 at 08:44:06AM -0400
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Thu, Oct 04, 2001 at 08:44:06AM -0400, Bill Moran wrote:
> [This belongs on -questions, I've cced]
> 
> On Thursday 04 October 2001 08:31, Robin P. Blanchard wrote:
> > every now and then in my ipflog i see that ipfilter has blocked packets
> > from the internet destined for machines on my internal network:
> >
> > 01/10/2001 19:30:54.722906 3x dc0 @0:23 b 207.68.131.21,80 ->
> > 192.168.0.126,1045 PR tcp len 20 1500 -A IN
> > 01/10/2001 19:40:50.351123 dc0 @0:23 b 207.46.106.81,80 ->
> > 192.168.0.126,1033 PR tcp len 20 1500 -A IN
> > 02/10/2001 17:43:47.320547 50x dc0 @0:23 b 128.192.37.79,20 ->
> > 192.168.0.126,1148 PR tcp len 20 1500 -A IN
> >
> >
> > my question is: how is it that my internal IPs are getting to these
> > hosts in the first place? shouldn't ipnat have taken care of that on the
> > way out?
> 
> They probably aren't.  Do a traceroute to some well-known sites (such
> as yahoo).  Chances are that your ISP is using RFC-1918 addys on
> their internal routing.  Stupid idea, but it's become commonplace to do
> it.
> IPv6 needs to come into use soon.  This internet thing is such a mess
> that it amazes me that it works at all!

It is much more likely that these are part of a messed up HTTP
connection. 192.168.0.126 is a valid address on your network that
might be browsing the web? The packets are being processed by ipnat(8)
as part of a valid connection but then being blocked at rule 26.
-- 
Crist J. Clark                           cjclark@alum.mit.edu
                                         cjclark@jhu.edu
                                         cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message