Odd firewall messages
From: Michael Richards (michael@fastmail.ca)
Date: 02/22/01
- Next message: Kris Kennaway: "Re: Bind problems"
- Previous message: Mike Silbersack: "Re: Bind problems"
- Next in thread: Crist J. Clark: "Re: Odd firewall messages"
- Reply: Crist J. Clark: "Re: Odd firewall messages"
- Maybe reply: Michael Richards: "Re: Odd firewall messages"
- Maybe reply: Bob Johnson: "Re: Odd firewall messages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: freebsd-security@freebsd.org From: "Michael Richards" <michael@fastmail.ca> Date: Wed, 21 Feb 2001 21:31:39 -0500 (EST)
Aside from my bind problems, I finally got a firewall up and running
for our servers. The ipfilter rules catching the odd packets are:
# Nasty Packets:
# Block any packets which are too short to be real.
block in log quick all with short
# Block any packets with source routing set
block in log quick all with opt lsrr
block in log quick all with opt ssrr
# block any traffic claiming to be from an RFC reserved IP space
block in log quick on xl1 from 192.168.0.0/16 to any
block in log quick on xl1 from 172.16.0.0/12 to any
block in log quick on xl1 from 10.0.0.0/8 to any
# block localhost type IPs
block in log quick on xl1 from 127.0.0.0/8 to any
# block anything claiming to be a '0.x.x.x'
block in log quick on xl1 from 0.0.0.0/8 to any
# block IANA IPs reserved for use in auto-configuration
block in log quick on xl1 from 169.254.0.0/16 to any
# block IPs reserved for documentation authors
block in log quick on xl1 from 192.0.2.0/24 to any
# reserved SUN IPs for private cluster interlocks
block in log quick on xl1 from 204.152.64.0/23 to any
# multicast traffic
block in log quick on xl1 from 224.0.0.0/3 to any
Now I seem to be getting a number of weird packets presumably probing
my machine for various open ports:
21/02/2001 04:51:05.250782 2x xl1 @0:6 b 10.0.0.1,137 -> x.x.x.x,137
PR udp len 20 19968 IN
21/02/2001 04:51:05.357334 xl1 @0:4 b 192.168.0.1,137 -> x.x.x.x,137
PR udp len 20 19968 IN
21/02/2001 05:08:04.033088 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137
PR udp len 20 19968 IN
21/02/2001 05:08:05.529631 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137
PR udp len 20 19968 IN
21/02/2001 05:08:07.033451 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137
PR udp len 20 19968 IN
21/02/2001 05:30:15.651130 xl1 @0:1 b 205.188.246.17,46666 ->
x.x.x.x,25 PR tcp len 20 7168 - IN
21/02/2001 06:05:22.220902 xl1 @0:6 b 10.23.32.72,39666 -> x.x.x.x,25
PR tcp len 20 10240 -A IN
I haven't figured out what the last 2 log entries are or do only
because I haven't read into the docs far enough yet.
The thing I find curious is the first set of packets. These are
coming from RFC reserved IP addresses. Why on earth would I probe you
using a return address of 10.0.0.1 because I probably won't ever get
a response. Before the firewall was plugged in (it had a bypass
during setup and testing) I presume that the response for these
packets were just fired back and filtered out somewhere. Since rule
#2 and #3 do not seem to be firing I assume they are not source
routed so as to have the return source pass through the attacking
machine.
Anyone have any wisdom when it comes to decoding what I'm seeing here?
thanks
-Michael
_________________________________________________________________
http://fastmail.ca/ - Fast Free Web Email for Canadians
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Kris Kennaway: "Re: Bind problems"
- Previous message: Mike Silbersack: "Re: Bind problems"
- Next in thread: Crist J. Clark: "Re: Odd firewall messages"
- Reply: Crist J. Clark: "Re: Odd firewall messages"
- Maybe reply: Michael Richards: "Re: Odd firewall messages"
- Maybe reply: Bob Johnson: "Re: Odd firewall messages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
