Hello all,
I am fairly new to ipfilter and had a question about something I am
noticing. This is running on SunOS XXXX 5.8 Generic_117350-51 sun4u sparc
SUNW,Ultra-250 and IPF version 4.1.28. This server is primarily running a
listserv thus needing smtp to be open and running without problems. My
question is this, is what I'm seeing bellow normal or is there something I
can change to fix this problem. I have hidden the IPs for security reasons.
Thanks in advance.
-Luiz
ipmon:
28/02/2008 12:39:59.634787 hme0 @0:18 b 204.13.161.20,25 ->
XXX.XXX.XXX.XXX,44080 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:40:59.630671 hme0 @0:18 b 204.13.161.20,25 ->
XXX.XXX.XXX.XXX,44153 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:41:28.644906 hme0 @0:18 b 218.233.144.195,25 ->
XXX.XXX.XXX.XXX,44172 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:41:38.649272 hme0 @0:18 b 218.233.144.195,25 ->
XXX.XXX.XXX.XXX,44172 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:41:48.645091 hme0 @0:18 b 218.233.144.195,25 ->
XXX.XXX.XXX.XXX,44172 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:41:58.655520 hme0 @0:18 b 218.233.144.195,25 ->
XXX.XXX.XXX.XXX,44172 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:41:58.675230 hme0 @0:18 b 204.13.161.20,25 ->
XXX.XXX.XXX.XXX,44214 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:42:08.632902 hme0 @0:18 b 66.158.17.25,25 ->
XXX.XXX.XXX.XXX,44223 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:42:08.656886 hme0 @0:18 b 218.233.144.195,25 ->
XXX.XXX.XXX.XXX,44172 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:42:58.671929 hme0 @0:18 b 204.13.161.20,25 ->
XXX.XXX.XXX.XXX,44270 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:43:08.631484 hme0 @0:18 b 66.158.17.25,25 ->
XXX.XXX.XXX.XXX,44276 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:44:27.744362 hme0 @0:18 b 157.182.232.199,25 ->
XXX.XXX.XXX.XXX,44351 PR tcp len 20 40 -AR IN OOW
28/02/2008 12:44:37.699773 hme0 @0:18 b 157.182.203.37,25 ->
XXX.XXX.XXX.XXX,44364 PR tcp len 20 40 -AR IN OOW
netstat:
XXX.XXX.XXX.XXX.44287 219.251.130.43.25 0 0 65700 0
SYN_SENT
XXX.XXX.XXX.XXX.44296 213.229.249.143.25 0 0 65700 0
SYN_SENT
XXX.XXX.XXX.XXX.44299 192.190.33.73.25 0 0 65700 0
SYN_SENT
XXX.XXX.XXX.XXX.44319 213.229.249.143.25 0 0 65700 0
SYN_SENT
XXX.XXX.XXX.XXX.44321 204.255.44.42.25 0 0 65700 0
SYN_SENT
XXX.XXX.XXX.XXX.44322 204.255.44.42.25 0 0 65700 0
SYN_SENT
XXX.XXX.XXX.XXX.44323 69.25.47.164.25 0 0 65700 0
SYN_SENT
XXX.XXX.XXX.XXX.44326 163.120.15.5.25 0 0 65700 0
SYN_SENT
XXX.XXX.XXX.XXX.44329 216.68.8.212.25 0 0 65700 0
SYN_SENT
XXX.XXX.XXX.XXX.44336 204.255.44.42.25 0 0 65700 0
SYN_SENT
XXX.XXX.XXX.XXX.44337 157.28.10.56.25 0 0 65700 0
SYN_SENT
rules:
@1 pass in quick on lo0 all
@2 pass in quick on hme0 proto tcp from any to any port = smtp flags
S/FSRPAU keep state keep frags
@3 pass in quick on hme0 proto tcp from any to any port = 80 keep state
@4 pass in quick on hme0 proto icmp from any to any icmp-type echo
@5 pass in quick on hme0 proto tcp from any to any port = ssh flags S/SA
keep state
@6 pass in log quick on hme0 proto tcp from XXX.XXX.XXX.XXX/32 to
XXX.XXX.XXX.XXX/32 port = 7938 keep state
@7 pass in log quick on hme0 proto tcp from XXX.XXX.XXX.XXX/32 to
XXX.XXX.XXX.XXX/32 port = 7937 keep state
@8 block in quick on hme0 from any to XXX.XXX.XXX.XXX/32
@9 block in quick on hme0 from any to XXX.XXX.XXX.XXX/32
@10 block in quick on hme0 from any to XXX.XXX.XXX.XXX/32
@11 block in quick on hme0 from any to XXX.XXX.XXX.XXX/32
@12 block in quick on hme0 from XXX.XXX.XXX.XXX/32 to any
@13 block in quick on hme0 from any to XXX.XXX.XXX.XXX/32
@14 block in quick on hme0 from XXX.XXX.XXX.XXX/32 to any port = 21
@15 block in quick on hme0 from XXX.XXX.XXX.XXX/32 to any port = 25
@16 pass in quick on hme0 proto tcp from any to any port = 113 keep state
@17 block return-rst in log on hme0 proto tcp from any to any flags
S/FSRPAU
@18 block in log on hme0 all
