On 2024-02-13, Peter N. M. Hansteen <pe...@bsdly.net> wrote: > On Tue, Feb 13, 2024 at 08:29:59AM +0000, jonathon575 wrote: >> Kindly find below log entries generated from tcpdump of the pflog. The is a >> fresh install & updated openbsd 7.4, with bare-minimum installation >> configured for a firewall. There are no x* programs installed. >> >> Feb 11 18:09:41.682345 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0xdd6a56bc >> Feb 11 18:09:46.754493 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x963acc89 >> Feb 11 18:09:51.778525 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x93d9508d >> Feb 11 18:09:56.835383 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x112cf65b >> Feb 11 18:29:33.657009 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x639ed21a >> Feb 11 18:29:33.657454 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0xb2fcd9b8 >> Feb 11 18:29:33.658140 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x8ae84cca >> Feb 11 18:29:33.658808 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0xcbb881b7 >> Feb 11 18:29:33.659165 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x612a28f8 >> Feb 11 18:29:33.659416 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x49f595ec >> >> wan-ip is my wan static ip address. >> >> What does [wg] means? What does "initiation from 0xdd6a56bc"...etc. means? > > These log entries mean that your system blocked attempts from 69.166.225.73 > access to whatever wan-ip is. > > Your system recognized the traffic as attempts to initiate a WireGuard (a > sort of vpn, see https://man.openbsd.org/wg > and links therein). The attempts were blocked.
Sending wireguard packets at you doesn't seem very likely to be malicious, more likely wan-ip was previously used by someone for their wireguard connections and it was reassigned to you. > Some of the things you mention may require specialized tools, but please > invest some time in learning to > properly interpret the output of the basic tools first. accton(8) and the manpages referenced in accton's "SEE ALSO" might be one place to start reading to log what's been run on a system. aide (in packagea) might be useful for detecting changed files. -- Please keep replies on the mailing list.
