Date: Sun, 23 Oct 2011 01:58:03 +0000 From: "Li, Qing" <qing.li@bluecoat.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: RE: IPFW shows me Strangeness in fresh 8.2-RELEASE system Message-ID: <B143A8975061C446AD5E29742C53172315D130@PWSVL-EXCMBX-01.internal.cacheflow.com> In-Reply-To: <29994.1319330864@tristatelogic.com> References: <29994.1319330864@tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
First thing comes to mind is to check if "rl0" is running in promiscuous mo= de.=0A= =0A= Check ifconfig output, and do a "ifconfig rl0 -promisc" just for good measu= re and=0A= see what happens.=0A= =0A= --Qing=0A= =0A= ________________________________________=0A= From: owner-freebsd-net@freebsd.org [owner-freebsd-net@freebsd.org] on beha= lf of Ronald F. Guilmette [rfg@tristatelogic.com]=0A= Sent: Saturday, October 22, 2011 5:47 PM=0A= To: freebsd-net@freebsd.org=0A= Subject: IPFW shows me Strangeness in fresh 8.2-RELEASE system=0A= =0A= I've been slowly bringing up a fresh new 8.2-RELEASE system on one of my=0A= static IPs, and I've set up some minimalist ipfw rules, just for the time= =0A= being, to try to protect it from Evil Invaders. I arranged for these rules= =0A= to log all unexpected inbound packets coming in via the one and only ethern= et=0A= card.=0A= =0A= The card has been ifconfig'd as follows:=0A= =0A= ifconfig_rl0=3D"inet 69.62.255.119 netmask 255.255.255.0"=0A= =0A= I'll admit to being ignorant about many of the finer details of networking= =0A= generally, but to my way of thinking, the above configuration should cause= =0A= the card to really only listen for inbound packets addressed to 69.62.255.1= 19.=0A= Yes? No?=0A= =0A= Well, anyway, that's been my experience in the past.=0A= =0A= The odd thing is that I'm getting some inbound packets logged by my final= =0A= ``catch all'' deny & log rule in my IPFW rules list, where the destination= =0A= IP address on the packets being logged is *not* 69.62.255.119.=0A= =0A= This is absolutely puzzling to me, and I hope that somebody can explain it= =0A= to me. I mean how can this occur? The destination IP addresses in questio= n=0A= aren;t even in the same /24 as my machine, so I really don;t understand how= =0A= or why my card is even receiving these packets.=0A= =0A= The inbound packets in question are not really a problem. I can easily=0A= figure out how to add additional ipfw rules to block them completely.=0A= But the very fact that my ethernet card is even hearing them, given its=0A= configured IP address, is rather disturbing to me, because it obviously=0A= means that there's something deep going on here that I just don't understan= d,=0A= but I would like to understand it.=0A= =0A= The packets in question seem to come in three flavors. About 1/3 of them l= ook=0A= like this in the /var/log/security file:=0A= =0A= Oct 22 17:12:38 coredump kernel: ipfw: 1600 Deny UDP 0.0.0.0:68 255.255.255= .255:67 in via rl0=0A= =0A= Some others look like this:=0A= =0A= Oct 22 17:12:27 coredump kernel: ipfw: 1600 Deny UDP 67.159.149.215:50669 2= 55.255.255.255:2223 in via rl0=0A= =0A= Still others look like this:=0A= =0A= Oct 22 17:12:01 coredump kernel: ipfw: 1600 Deny UDP 67.159.139.178:520 67.= 159.139.191:520 in via rl0=0A= =0A= The destination addresses for all of the logged packets represented above a= re=0A= quite clearly *not* the IP address of the machine I'm setting up. Not even= =0A= close.=0A= =0A= Note that the machine I've been setting up is on a static IP address on an= =0A= ordinary end-luser DSL line. Note also that all addresses within the=0A= 67.159.128.0/19 block belong to my own ISP, Surewest Broadband. So it woul= d=0A= seem to be the case that some other folks or businesses who use my same ISP= =0A= may perhaps be sending out some funny (and misdirected?) packets, but that'= s=0A= not an issue that concerns me. What does concern me is just that fact that= =0A= my ethernet card seems to be listening to packets that aren't even addresse= d=0A= to it, and I really just don't understand why.=0A= =0A= Any enlightenment would be appreciated.=0A= =0A= =0A= Regards,=0A= rfg=0A= =0A= =0A= P.S. This is the first time I've ever touched FreeBSD 8.x. I've been usin= g=0A= 7.x releases in the past however, and before that 6.x and 5.x releases and= =0A= I've really never seen anything quite like this before. Do 8.x releases no= w=0A= cause ethernet cards to listen for stuff they should not even be listening= =0A= for?=0A= =0A= Color me perplexed.=0A= _______________________________________________=0A= freebsd-net@freebsd.org mailing list=0A= http://lists.freebsd.org/mailman/listinfo/freebsd-net=0A= To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B143A8975061C446AD5E29742C53172315D130>