subject:"ipflog entries\?"

Re: ipflog entries?

2005-04-04 Thread Robert Marella

Danny Pansters wrote:
On Tuesday 05 April 2005 00:05, Robert Marella wrote:
 

Greetings
My daily mail on my firewall (5.3-rel-p4) has always shown many (>
1)  blocks by my blocking rule
"block in quick on em0 from 10.0.0.0/8 to any". Obviously I'm using
ipf/ipnat.
So, for education, today I enabled "log" for a short time on that rule.
Within a few minutes I logged over twenty
attempts from the same address. (Sample below, text attached)
04/04/2005 11:33:41.034653 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
PR udp len 20 337 IN
04/04/2005 11:33:41.973120 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
PR udp len 20 344 IN
04/04/2005 11:33:57.532249 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
PR udp len 20 337 IN
04/04/2005 11:33:58.963415 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
PR udp len 20 344 IN
Ports 67 shows dhcps and 68 shows dhcpc in /etc/services.
em0 is connected to my roadrunner cable modem. Is the cable modem doing
this or is someone spoofing this IP address?
Sorry if this has been answered already but I'm kind of new to the
firewall stuff.
Thank you for your time.
Robert
   

It's your cable provider insisting to send you bootps info (for broken windows 
customers I reckon). Yech that's as if you're some network appliance :) Mine 
does that too. I just drop/not log them. Whenever your dhclient needs to 
renew a lease it will connect and if your firewall keeps state on that your 
ISP's dhcp server has it's lucky moment because for once something may 
connect back in. Both of you happy.

HTH,
Dan
 

Thanks Dan.
I kinda thunk it was something like that. Just wanted someone such as 
yourself to confirm. The sheer number that was reported in the daily 
mail was what got me concerned. I was and am just dropping them. I only 
enabled the log for about 5 minutes.

Thanks again
Robert
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipflog entries?

2005-04-04 Thread Danny Pansters

On Tuesday 05 April 2005 00:05, Robert Marella wrote:
> Greetings
>
> My daily mail on my firewall (5.3-rel-p4) has always shown many (>
> 1)  blocks by my blocking rule
> "block in quick on em0 from 10.0.0.0/8 to any". Obviously I'm using
> ipf/ipnat.
>
> So, for education, today I enabled "log" for a short time on that rule.
> Within a few minutes I logged over twenty
> attempts from the same address. (Sample below, text attached)
>
> 04/04/2005 11:33:41.034653 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
> PR udp len 20 337 IN
> 04/04/2005 11:33:41.973120 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
> PR udp len 20 344 IN
> 04/04/2005 11:33:57.532249 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
> PR udp len 20 337 IN
> 04/04/2005 11:33:58.963415 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
> PR udp len 20 344 IN
>
> Ports 67 shows dhcps and 68 shows dhcpc in /etc/services.
>
> em0 is connected to my roadrunner cable modem. Is the cable modem doing
> this or is someone spoofing this IP address?
>
> Sorry if this has been answered already but I'm kind of new to the
> firewall stuff.
>
> Thank you for your time.
> Robert

It's your cable provider insisting to send you bootps info (for broken windows 
customers I reckon). Yech that's as if you're some network appliance :) Mine 
does that too. I just drop/not log them. Whenever your dhclient needs to 
renew a lease it will connect and if your firewall keeps state on that your 
ISP's dhcp server has it's lucky moment because for once something may 
connect back in. Both of you happy.

HTH,

Dan



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

ipflog entries?

2005-04-04 Thread Robert Marella

Greetings
My daily mail on my firewall (5.3-rel-p4) has always shown many (> 
1)  blocks by my blocking rule
"block in quick on em0 from 10.0.0.0/8 to any". Obviously I'm using 
ipf/ipnat.

So, for education, today I enabled "log" for a short time on that rule. 
Within a few minutes I logged over twenty
attempts from the same address. (Sample below, text attached)

04/04/2005 11:33:41.034653 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 
PR udp len 20 337 IN
04/04/2005 11:33:41.973120 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 
PR udp len 20 344 IN
04/04/2005 11:33:57.532249 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 
PR udp len 20 337 IN
04/04/2005 11:33:58.963415 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 
PR udp len 20 344 IN

Ports 67 shows dhcps and 68 shows dhcpc in /etc/services.
em0 is connected to my roadrunner cable modem. Is the cable modem doing 
this or is someone spoofing this IP address?

Sorry if this has been answered already but I'm kind of new to the 
firewall stuff.

Thank you for your time.
Robert
04/04/2005 11:32:13.544747 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:32:22.045132 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:32:38.544230 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:33:23.043437 2x em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR 
udp len 20 337 IN
04/04/2005 11:33:25.553000 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:33:27.822447 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:33:29.962973 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 344 IN
04/04/2005 11:33:32.535749 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:33:34.952726 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 344 IN
04/04/2005 11:33:38.027073 em0 @0:6 b 218.83.155.71,55197 -> 66.8.191.104,1029 
PR udp len 20 459 IN
04/04/2005 11:33:41.034653 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:33:41.973120 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 344 IN
04/04/2005 11:33:57.532249 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:33:58.963415 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 344 IN
04/04/2005 11:34:27.203702 2x em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR 
udp len 20 341 IN
04/04/2005 11:34:34.461616 em0 @0:6 b 24.90.91.53,15851 -> 66.8.191.104,42 PR 
tcp len 20 48 -S IN
04/04/2005 11:34:37.463380 em0 @0:6 b 24.90.91.53,15851 -> 66.8.191.104,42 PR 
tcp len 20 48 -S IN
04/04/2005 11:34:42.021349 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:34:42.804996 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:34:44.532057 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:34:46.807355 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:34:51.521685 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:35:00.022081 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:35:16.541624 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:35:36.322489 2x em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR 
udp len 20 342 IN
04/04/2005 11:35:59.813198 2x em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR 
udp len 20 353 IN
04/04/2005 11:36:01.020881 2x em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR 
udp len 20 337 IN
04/04/2005 11:36:03.510580 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:36:05.801901 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:36:10.510708 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:36:19.010118 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:36:35.511583 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:37:08.834639 em0 @0:6 b 60.34.114.40,2861 -> 66.8.191.104,5554 PR 
tcp len 20 48 -S IN
04/04/2005 11:37:09.835071 em0 @0:6 b 60.34.114.40,3093 -> 66.8.191.104,1023 PR 
tcp len 20 48 -S IN
04/04/2005 11:37:11.841033 em0 @0:6 b 60.34.114.40,3634 -> 66.8.191.104,9898 PR 
tcp len 20 48 -S IN
04/04/2005 11:37:21.010605 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:37:21.788276 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:37:23.499794 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:37:25.791626 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:37:30.509418 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005 11:37:38.999829 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 PR udp 
len 20 337 IN
04/04/2005

Re: ipflog entries?

Re: ipflog entries?

ipflog entries?

3 matches

Site Navigation

Mail list logo

Footer information