From owner-freebsd-net@FreeBSD.ORG Sun Oct 23 01:58:09 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C63C6106564A for ; Sun, 23 Oct 2011 01:58:09 +0000 (UTC) (envelope-from qing.li@bluecoat.com) Received: from whisker.bluecoat.com (whisker.bluecoat.com [216.52.23.28]) by mx1.freebsd.org (Postfix) with ESMTP id A6C238FC0C for ; Sun, 23 Oct 2011 01:58:09 +0000 (UTC) Received: from PWSVL-EXCHTS-02.internal.cacheflow.com (sai-rp.bluecoat.com [10.2.2.126] (may be forged)) by whisker.bluecoat.com (8.14.2/8.14.2) with ESMTP id p9N1w8sX029902 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 22 Oct 2011 18:58:09 -0700 (PDT) Received: from PWSVL-EXCMBX-01.internal.cacheflow.com ([fe80::15bc:12e2:4676:340f]) by PWSVL-EXCHTS-02.internal.cacheflow.com ([fe80::4910:317f:407:6ecc%14]) with mapi id 14.01.0289.001; Sat, 22 Oct 2011 18:58:03 -0700 From: "Li, Qing" To: "Ronald F. Guilmette" , "freebsd-net@freebsd.org" Thread-Topic: IPFW shows me Strangeness in fresh 8.2-RELEASE system Thread-Index: AQHMkR/wGsdDSnU5ak+MogtbbeZf9pWJK7mS Date: Sun, 23 Oct 2011 01:58:03 +0000 Message-ID: References: <29994.1319330864@tristatelogic.com> In-Reply-To: <29994.1319330864@tristatelogic.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [216.52.23.68] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Subject: RE: IPFW shows me Strangeness in fresh 8.2-RELEASE system X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2011 01:58:09 -0000 First thing comes to mind is to check if "rl0" is running in promiscuous mo= de.=0A= =0A= Check ifconfig output, and do a "ifconfig rl0 -promisc" just for good measu= re and=0A= see what happens.=0A= =0A= --Qing=0A= =0A= ________________________________________=0A= From: owner-freebsd-net@freebsd.org [owner-freebsd-net@freebsd.org] on beha= lf of Ronald F. Guilmette [rfg@tristatelogic.com]=0A= Sent: Saturday, October 22, 2011 5:47 PM=0A= To: freebsd-net@freebsd.org=0A= Subject: IPFW shows me Strangeness in fresh 8.2-RELEASE system=0A= =0A= I've been slowly bringing up a fresh new 8.2-RELEASE system on one of my=0A= static IPs, and I've set up some minimalist ipfw rules, just for the time= =0A= being, to try to protect it from Evil Invaders. I arranged for these rules= =0A= to log all unexpected inbound packets coming in via the one and only ethern= et=0A= card.=0A= =0A= The card has been ifconfig'd as follows:=0A= =0A= ifconfig_rl0=3D"inet 69.62.255.119 netmask 255.255.255.0"=0A= =0A= I'll admit to being ignorant about many of the finer details of networking= =0A= generally, but to my way of thinking, the above configuration should cause= =0A= the card to really only listen for inbound packets addressed to 69.62.255.1= 19.=0A= Yes? No?=0A= =0A= Well, anyway, that's been my experience in the past.=0A= =0A= The odd thing is that I'm getting some inbound packets logged by my final= =0A= ``catch all'' deny & log rule in my IPFW rules list, where the destination= =0A= IP address on the packets being logged is *not* 69.62.255.119.=0A= =0A= This is absolutely puzzling to me, and I hope that somebody can explain it= =0A= to me. I mean how can this occur? The destination IP addresses in questio= n=0A= aren;t even in the same /24 as my machine, so I really don;t understand how= =0A= or why my card is even receiving these packets.=0A= =0A= The inbound packets in question are not really a problem. I can easily=0A= figure out how to add additional ipfw rules to block them completely.=0A= But the very fact that my ethernet card is even hearing them, given its=0A= configured IP address, is rather disturbing to me, because it obviously=0A= means that there's something deep going on here that I just don't understan= d,=0A= but I would like to understand it.=0A= =0A= The packets in question seem to come in three flavors. About 1/3 of them l= ook=0A= like this in the /var/log/security file:=0A= =0A= Oct 22 17:12:38 coredump kernel: ipfw: 1600 Deny UDP 0.0.0.0:68 255.255.255= .255:67 in via rl0=0A= =0A= Some others look like this:=0A= =0A= Oct 22 17:12:27 coredump kernel: ipfw: 1600 Deny UDP 67.159.149.215:50669 2= 55.255.255.255:2223 in via rl0=0A= =0A= Still others look like this:=0A= =0A= Oct 22 17:12:01 coredump kernel: ipfw: 1600 Deny UDP 67.159.139.178:520 67.= 159.139.191:520 in via rl0=0A= =0A= The destination addresses for all of the logged packets represented above a= re=0A= quite clearly *not* the IP address of the machine I'm setting up. Not even= =0A= close.=0A= =0A= Note that the machine I've been setting up is on a static IP address on an= =0A= ordinary end-luser DSL line. Note also that all addresses within the=0A= 67.159.128.0/19 block belong to my own ISP, Surewest Broadband. So it woul= d=0A= seem to be the case that some other folks or businesses who use my same ISP= =0A= may perhaps be sending out some funny (and misdirected?) packets, but that'= s=0A= not an issue that concerns me. What does concern me is just that fact that= =0A= my ethernet card seems to be listening to packets that aren't even addresse= d=0A= to it, and I really just don't understand why.=0A= =0A= Any enlightenment would be appreciated.=0A= =0A= =0A= Regards,=0A= rfg=0A= =0A= =0A= P.S. This is the first time I've ever touched FreeBSD 8.x. I've been usin= g=0A= 7.x releases in the past however, and before that 6.x and 5.x releases and= =0A= I've really never seen anything quite like this before. Do 8.x releases no= w=0A= cause ethernet cards to listen for stuff they should not even be listening= =0A= for?=0A= =0A= Color me perplexed.=0A= _______________________________________________=0A= freebsd-net@freebsd.org mailing list=0A= http://lists.freebsd.org/mailman/listinfo/freebsd-net=0A= To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"=0A=