Blocking RIP requests on firewall

[Mark Woodson]

On Wednesday 13 August 2003 11:27 am, Darryl Hoar wrote:
> >-----Original Message-----
> From: Mark Woodson [mailto:mwoodson at sricrm.com]
> >Sent: Wednesday, August 13, 2003 11:54 AM
> >To: darryl at osborne-ind.com
> >Subject: Re: Blocking RIP requests on firewall
> >
> >On Wednesday 13 August 2003 07:53 am, Darryl Hoar wrote:
> >> Greetings,
> >> I have a FreeBSD 4.7S machine that is running
> >> IPFilter and is configured as a firewall.
> >>
> >> My external interface is xl0.
> >> I put block in quick on xl0 proto udp from 10.0.0.1 to any port = 520
> >> reloaded the rules (by rebooting.  I have it locked down).
> >> it still generates log entries in my firewall_log file.
> >
> >Can you show an example of the log entry you're seeing?
> >
> >> block return-rst in log quick on xl0 proto tcp from any to any
> >> block return-icmp-as-dest(port-unr) in log quick on xl0
> >
> >proto udp from any
> >to any
> >
> >> block in quick on xl0 proto udp from 10.0.0.1 to any port = 520
> >
> >if you change this to:
> >block in quick on xl0 proto udp from any to any port = 520
> >
> >You will drop any packet bound for port 520 without logging,
> >not just ones from 10.0.0.1
> >
> >> block in log quick on xl0 all
> >
> >The other entries have the log keyword so will be generating entries.

> here's a couple of the entries:
>
> Aug 13 13:20:59 darryl ipmon[98]: 13:20:58.166238 xl0 @0:3 b
> 10.0.0.1,router -> 10.0.0.255,router PR udp len 2
> 0 72  IN
> Aug 13 13:21:28 darryl ipmon[98]: 13:21:28.164643 xl0 @0:3 b
> 10.0.0.1,router -> 10.0.0.255,router PR udp len 2
> 0 72  IN

I'm kind of at a loss, since it's using rule 3 (which appears to be the rule 
you've got to not log).  What's the output of ipfstat -in (shows the input 
filter with line #'s).

-Mark