From owner-freebsd-net Sun May 28 22:11:26 2000 Delivered-To: freebsd-net@freebsd.org Received: from elmls01.ce.mediaone.net (elmls01.ce.mediaone.net [24.131.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 0747937BF42 for ; Sun, 28 May 2000 22:11:20 -0700 (PDT) (envelope-from dcschooley@ieee.org) Received: from [192.168.1.4] (el01-24-131-141-107.ce.mediaone.net [24.131.141.107]) by elmls01.ce.mediaone.net (8.8.7/8.8.7) with ESMTP id AAA04575 for ; Mon, 29 May 2000 00:14:46 -0500 (CDT) Mime-Version: 1.0 X-Sender: dcs@192.168.1.2 Message-Id: x-advocacy: An Apple a Day Keeps Windows Away Date: Mon, 29 May 2000 00:01:13 -0500 To: freebsd-net@freebsd.org From: David Schooley Subject: Strange Network Traffic Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, My FreeBSD 4.0-Stable box is part of a LAN that gets out onto the internet via a Linksys Cable/DSL router and cable modem. I used to route packets through the FreeBSD box using NAT, but the Linksys thing lets me do strange things to the BSD side without cutting off the rest of the network from the internet. I am the only user on the LAN. The Linksys router acts as a firewall, but since I don't really know how good it is for that, I am using ipfw to provide backup protection for the FreeBSD box. The router's IP address is 192.168.1.1 to the LAN. The IP address of the FreeBSD box is 192.168.1.2 on fxp0. Both address are fixed. fxp1 is a second ethernet card on the FreeBSD machine, but it only carries AppleTalk traffic and does not have an IP address. My ruleset looks like this: 00100 allow ip from any to any via lo0 00200 deny log logamount 100 ip from any to 127.0.0.0/8 00250 deny log logamount 100 ip from 127.0.0.0/8 to any via fxp0 00300 allow ip from 192.168.1.2 to 192.168.1.0/24 00400 allow ip from 192.168.1.0/24 to 192.168.1.2 00500 check-state 00600 allow ip from any to any frag 00700 allow tcp from 192.168.1.2 to any keep-state setup 00800 allow udp from any 53 to 192.168.1.2 00900 allow udp from 192.168.1.2 to any 53 01000 deny log logamount 100 ip from any to any 65535 deny ip from any to any I log all failures so that I can see what makes it through the Linksys. Now for the question, the following shows up in the security log: May 25 23:30:00 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1030 255.255.255.255:162 in via fxp1 May 25 23:30:00 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1030 255.255.255.255:162 in via fxp0 and later, it happens again: May 28 16:52:04 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1031 255.255.255.255:162 in via fxp1 May 28 16:52:04 bicycle /kernel: ipfw: 1000 Deny UDP 192.168.1.1:1031 255.255.255.255:162 in via fxp0 The Linksys shouldn't be doing anything with SNMP, so are evil crackers trying to do something? -- --------------------------------------------------- David C. Schooley, Ph.D. Transmission Operations/Technical Operations Support Commonwealth Edison Company work phone: 630-691-4466/(472)-4466 work email: mailto:david.c.schooley@ucm.com home email: mailto:dcschooley@ieee.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message