From owner-freebsd-questions Tue Aug 7 4:25:55 2001 Delivered-To: freebsd-questions@freebsd.org Received: from x1-6-00-50-ba-de-36-33.kico1.on.home.com (d141-119-162.home.cgocable.net [24.141.119.162]) by hub.freebsd.org (Postfix) with ESMTP id 281A137B403 for ; Tue, 7 Aug 2001 04:25:52 -0700 (PDT) (envelope-from genisis@istar.ca) Received: from localhost (genisis@localhost) by x1-6-00-50-ba-de-36-33.kico1.on.home.com (8.11.3/8.11.3) with ESMTP id f77BUmi25099; Tue, 7 Aug 2001 07:30:48 -0400 (EDT) (envelope-from genisis@istar.ca) X-Authentication-Warning: x1-6-00-50-ba-de-36-33.kico1.on.home.com: genisis owned process doing -bs Date: Tue, 7 Aug 2001 07:30:48 -0400 (EDT) From: Dru X-X-Sender: To: User & Ian Patrick Thomas Cc: Subject: Re: Is this what the Code Red II worm does? In-Reply-To: <20010806234045.A340@localhost> Message-ID: <20010807072420.C25077-100000@x1-6-00-50-ba-de-36-33.kico1.on.home.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 6 Aug 2001, User & Ian Patrick Thomas wrote: > After doing an ipfw show after rebooting, I noticed the following > > 00106 5 216 (T 0, # 81) ty 0 tcp, 24.49.81.9 4061 <-> 24.49.117.213 80 > 00106 5 216 (T 0, # 174) ty 0 tcp, 24.240.245.40 2819 <-> 24.49.117.213 80 > 00106 5 216 (T 0, # 198) ty 0 tcp, 24.218.162.152 3547 <-> 24.49.117.213 80 > > this is the ruleset it matched > > 00106 43 3202 allow tcp from any to any keep-state setup Hi Ian, On a sidenote, you might want to consider adding the word "out" to that rule between the words "keep-state" and "setup". Until you specify a direction, that rule works both ways. Cheers, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message