Need help with IPFW rule

Norm Vilmer norm at etherealconsulting.com
Sat Oct 16 08:19:10 PDT 2004 

Lowell Gilbert wrote:
> Norm Vilmer <norm at etherealconsulting.com> writes:
> 
> 
>>I get this message (below) on the console of my FreeBSD 4.10 firewall:
>>
>>Connection attempt to TCP <my public ip>:20388 from 61.151.248.42:80
>>flags 0x12
>>
>>It appears that this is getting through the firewall and is logged to
>>the console because log_in_vain is 1.
>>
>>Question: What IPFW rule would block this without interfering with
>>normal http traffic on port 80 (I have Apache running on the box and
>>nat'd machines on the inside interface that access the Internet)?
> 
> 
> In most peoples' configurations, this would be getting blocked by a
> default block-all rule.  The users' connection out on port 80 would be
> accepted by a rule that is specific to the outgoing direction, and
> incoming packets on those connections would be accepted by either
> keeping state or by letting in only non-SYN packets.
> 
I added log statements to every ipfw rule last night and ran tethereal
against my public interface to get more info on what is happening. It
looks like rule 600 is letting the connection attempts through before it
gets to the deny all rule.

Here's what rule 600 looks like:

${cmd} add 600 pass log tcp from any to any established

Here's the console messages from log_in_vain:

Oct 16 00:03:42 mother /kernel: Oct 16 00:03:42 mother /kernel:
Connection attempt to TCP <<my public ip>>:3672 from 69.93.197.98:80
flags:0x12
Oct 16 01:47:34 mother /kernel: Oct 16 01:47:34 mother /kernel:
Connection attempt to TCP <<my public ip>>:22813 from 69.93.197.98:80
flags:0x12
Oct 16 01:59:35 mother /kernel: Oct 16 01:59:35 mother /kernel:
Connection attempt to TCP <<my public ip>>:25475 from 69.93.197.98:80
flags:0x12
Oct 16 02:14:23 mother /kernel: Oct 16 02:14:23 mother /kernel:
Connection attempt to TCP <<my public ip>>:14512 from 69.93.197.98:80
flags:0x12

Here's the IPFW logs:

Oct 16 00:03:42 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80
<<my public ip>>:3672 in via tun0
Oct 16 01:47:34 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80
<<my public ip>>:22813 in via tun0
Oct 16 01:59:35 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80
<<my public ip>>:25475 in via tun0
Oct 16 02:14:23 mother /kernel: ipfw: 600 Accept TCP 69.93.197.98:80
<<my public ip>>:14512 in via tun0

Here's the tethereal output:

  74 1132.587912 69.93.197.98 -> <<my public ip>> TCP http > 3672 [SYN,
ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452
238 7364.391310 69.93.197.98 -> <<my public ip>> TCP http > 22813 [SYN,
ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452
259 8085.745452 69.93.197.98 -> <<my public ip>> TCP http > 25475 [SYN,
ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452
270 8973.898736 69.93.197.98 -> <<my public ip>> TCP http > 14512 [SYN,
ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452

I am stumped, how can I block these packets? Is the person sending
the packets trying to get packets through as established when they are
really not? Why? Is this a threat?

More information about the freebsd-questions mailing list