Date: Mon, 27 Jun 2005 15:53:52 -0400 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "Stephan Weaver" <stephanweaver@hotmail.com>, <freebsd-questions@freebsd.org> Subject: RE: IPF Logging packets Every 2-10 Seconds. Message-ID: <MIEPLLIBMLEEABPDBIEGMEMHHHAA.fbsd_user@a1poweruser.com> In-Reply-To: <BAY20-F35A1783098F45A96296711A8EE0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
No you are wrong wrong. Rule number 27 in the incore table, not in your text source rule file. Use ipfstat -oihn to list the incore rules table. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Stephan Weaver Sent: Monday, June 27, 2005 3:45 PM To: fbsd_user@a1poweruser.com; freebsd-questions@freebsd.org Subject: RE: IPF Logging packets Every 2-10 Seconds. No you are wrong. if you look at the 1st log line. eg. >27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 -> 192.168.1.1,16478 PR tcp len 20 48 -S IN that log refers to RULE NUMBER 27, which in my RULSET, line 27 dosen't have the word log. so it must be something else. >From: "fbsd_user" <fbsd_user@a1poweruser.com> >Reply-To: <fbsd_user@a1poweruser.com> >To: "Stephan Weaver" ><stephanweaver@hotmail.com>,<freebsd-questions@freebsd.org> >Subject: RE: IPF Logging packets Every 2-10 Seconds. >Date: Mon, 27 Jun 2005 13:28:29 -0400 > >The log shows that it's all packets try to penetrate your firewall. >This is normal public internet traffic sent by people trying to >break into your system. Your firewall is doing its job of blocking >this unwanted junk just like you want it to do. If you don't want to >see this stuff in your log then remove the log keyword from your >rules and it will stop logging that junk. > >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Stephan >Weaver >Sent: Monday, June 27, 2005 11:19 AM >To: freebsd-questions@freebsd.org >Subject: IPF Logging packets Every 2-10 Seconds. > > >Hello list, > >My IPF Firewall System is logging packets almost every 2 - 10 >seconds. >I would like to narrow this problem down. > >firewall# cat /etc/ipf.rules >block in all >block out all > >pass in quick on lo0 all >pass out quick on lo0 all > >pass out quick on vr0 from any to any keep state > >pass in quick on vr1 all >pass out quick on vr1 all > ># Block all inbound traffic from non-routable or reserved address >spaces >block in log quick on vr0 from 192.168.0.0/16 to any #RFC 1918 >private IP >block in log quick on vr0 from 172.16.0.0/12 to any #RFC 1918 >private IP >block in log quick on vr0 from 10.0.0.0/8 to any #RFC 1918 >private IP >block in log quick on vr0 from 127.0.0.0/8 to any #loopback >block in log quick on vr0 from 0.0.0.0/8 to any #loopback >block in log quick on vr0 from 169.254.0.0/16 to any #DHCP >auto-config >block in log quick on vr0 from 192.0.2.0/24 to any #reserved for >doc's >block in log quick on vr0 from 204.152.64.0/23 to any #Sun cluster >interconnect >block in log quick on vr0 from 224.0.0.0/3 to any #Class D & E >multicast > ># Block frags >block in quick on vr0 all with frags ># Block short tcp packets >block in quick on vr0 proto tcp all with short ># Block source routed packets >block in quick on vr0 all with opt lsrr >block in quick on vr0 all with opt ssrr ># Block nmap OS fingerprint attempts ># Log first occurrence of these so I can get their IP address >block in log first quick on vr0 proto tcp all flags FUP >block in log first quick on vr0 proto tcp all flags SF/SFRA >block in log first quick on vr0 proto tcp all flags /SFRA >block in log first quick on vr0 proto tcp all flags F/SFRA >block in log first quick on vr0 proto tcp all flags U/SFRAU >block in log first quick on vr0 proto tcp all flags P ># Block anything with special options >block in quick on vr0 all with ipopts > ># Block public pings >block in log quick on vr0 proto icmp all icmp-type 8 > > ># TSTT NameServers >pass in quick on vr0 proto tcp/udp from 196.3.132.1 to any keep >state >pass in quick on vr0 proto tcp/udp from 196.3.132.4 to any keep >state > ># Block and log only first occurrence of all remaining traffic ># coming into the firewall. The logging of only the first ># occurrence stops a .denial of service. attack targeted ># at filling up your log file space. ># This rule enforces the block all by default logic. >block in log first quick on vr0 all > > ><SNIP> > >firewall# tail -f /var/log/ipfilter.log >27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:13:54.736606 vr0 @0:27 b 138.217.177.128,2840 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:03.585530 vr0 @0:27 b 67.33.99.114,50895 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:06.598363 vr0 @0:27 b 67.33.99.114,50895 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:09.699265 vr0 @0:27 b 200.108.28.115,3053 -> >192.168.1.1,445 PR tcp len 20 48 -S IN >27/06/2005 11:14:12.515511 vr0 @0:27 b 67.33.99.114,50895 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:12.670997 vr0 @0:27 b 200.108.28.115,3053 -> >192.168.1.1,445 PR tcp len 20 48 -S IN >27/06/2005 11:14:14.470027 vr0 @0:27 b 218.212.63.91,1425 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:17.432263 vr0 @0:27 b 218.212.63.91,1425 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:23.439618 vr0 @0:27 b 218.212.63.91,1425 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:29.633637 vr0 @0:27 b 70.186.121.59,4675 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:30.068091 vr0 @0:27 b 138.217.177.128,2905 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:32.592810 vr0 @0:27 b 70.186.121.59,4675 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:32.954266 vr0 @0:27 b 138.217.177.128,2905 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:38.859627 vr0 @0:27 b 70.186.121.59,4675 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:14:38.993186 vr0 @0:27 b 138.217.177.128,2905 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:15:03.372975 vr0 @0:27 b 138.217.177.128,2957 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:15:06.350342 vr0 @0:27 b 138.217.177.128,2957 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:15:12.289440 vr0 @0:27 b 138.217.177.128,2957 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:15:14.453865 vr0 @0:27 b 138.217.177.128,2971 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:15:17.418664 vr0 @0:27 b 138.217.177.128,2971 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:15:23.462695 vr0 @0:27 b 138.217.177.128,2971 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:15:53.929698 vr0 @0:27 b 81.18.10.245,3183 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:15:54.745636 vr0 @0:27 b 70.176.85.4,2263 -> >192.168.1.1,16478 >PR tcp len 20 48 -S IN >27/06/2005 11:15:55.988928 vr0 @0:27 b 81.18.10.245,3183 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:15:58.693653 vr0 @0:27 b 138.217.177.128,3036 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:16:01.582810 vr0 @0:27 b 138.217.177.128,3036 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN >27/06/2005 11:16:02.423821 vr0 @0:27 b 81.18.10.245,3183 -> >192.168.1.1,16478 PR tcp len 20 48 -S IN > >_________________________________________________________________ >Express yourself instantly with MSN Messenger! Download today it's >FREE! >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"freebsd-questions-unsubscribe@freebsd.org" > _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGMEMHHHAA.fbsd_user>