Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 28 Mar 2003 10:34:16 -0500
From:      Walter <walterk1@earthlink.net>
To:        Questions <freebsd-questions@FreeBSD.org>
Subject:   ipfw question
Message-ID:  <3E846B78.10607@earthlink.net>

next in thread | raw e-mail | index | archive | help
Hi all,

    I see a strange entry in my mail log from the
ipfw log output.  I don't really have a firm grasp
on ipfw yet and need help understanding how this
log entry came about (17 times), below:

 > ipfw: 1700 Deny TCP 0.0.0.0:80 192.168.xxx.xxx:49339 in via fxp0

The output of "ipfw list" starts as:

00100 allow ip from any to any via lo0
00200 deny log logamount 100 ip from any to 127.0.0.0/8
00300 deny log logamount 100 ip from 192.168.1.0/24 to any in recv fxp0
00400 deny log logamount 100 ip from 24.170.166.0/24 to any in recv ep0
00500 deny log logamount 100 ip from any to 10.0.0.0/8 via fxp0
00600 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0
00700 deny log logamount 100 ip from any to 192.168.0.0/16 via fxp0
00800 deny log logamount 100 ip from any to 0.0.0.0/8 via fxp0
00900 deny log logamount 100 ip from any to 169.254.0.0/16 via fxp0
01000 deny log logamount 100 ip from any to 192.0.2.0/24 via fxp0
01100 deny log logamount 100 ip from any to 224.0.0.0/4 via fxp0
01200 deny log logamount 100 ip from any to 240.0.0.0/4 via fxp0
01300 divert 8668 ip from any to any via fxp0
01400 deny log logamount 100 ip from 10.0.0.0/8 to any via fxp0
01500 deny log logamount 100 ip from 172.16.0.0/12 to any via fxp0
01600 deny log logamount 100 ip from 192.168.0.0/16 to any via fxp0
01700 deny log logamount 100 ip from 0.0.0.0/8 to any via fxp0
01800 deny log logamount 100 ip from 169.254.0.0/16 to any via fxp0
01900 deny log logamount 100 ip from 192.0.2.0/24 to any via fxp0
02000 deny log logamount 100 ip from 224.0.0.0/4 to any via fxp0
02100 deny log logamount 100 ip from 240.0.0.0/4 to any via fxp0
<remaining omitted>

My question is how come rule 00700 did not kick out the
prober, rather falling to rule 01700??  I realize the log
amounts are limited, but how did rule 01700 get activated
when rule 00700, seems to me, should have knocked out the
packet?  Is this evidence of someone having broken into my
FBSD router, as there are no other entries I've seen to
other possible internal IP's, or was someone just lucky?

Thanks.

Walter



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E846B78.10607>