ipfw question

Dancho Penev dpenev at mail.bg
Sat Mar 29 09:20:01 PST 2003 

On Fri, Mar 28, 2003 at 10:34:16AM -0500, Walter wrote:
>Date: Fri, 28 Mar 2003 10:34:16 -0500
>From: Walter <walterk1 at earthlink.net>
>To: Questions <freebsd-questions at FreeBSD.org>
>Subject: ipfw question
>
>Hi all,
>
>    I see a strange entry in my mail log from the
>ipfw log output.  I don't really have a firm grasp
>on ipfw yet and need help understanding how this
>log entry came about (17 times), below:
>
> > ipfw: 1700 Deny TCP 0.0.0.0:80 192.168.xxx.xxx:49339 in via fxp0
>
>The output of "ipfw list" starts as:
>
>00100 allow ip from any to any via lo0
>00200 deny log logamount 100 ip from any to 127.0.0.0/8
>00300 deny log logamount 100 ip from 192.168.1.0/24 to any in recv fxp0
>00400 deny log logamount 100 ip from 24.170.166.0/24 to any in recv ep0
>00500 deny log logamount 100 ip from any to 10.0.0.0/8 via fxp0
>00600 deny log logamount 100 ip from any to 172.16.0.0/12 via fxp0
>00700 deny log logamount 100 ip from any to 192.168.0.0/16 via fxp0
>00800 deny log logamount 100 ip from any to 0.0.0.0/8 via fxp0
>00900 deny log logamount 100 ip from any to 169.254.0.0/16 via fxp0
>01000 deny log logamount 100 ip from any to 192.0.2.0/24 via fxp0
>01100 deny log logamount 100 ip from any to 224.0.0.0/4 via fxp0
>01200 deny log logamount 100 ip from any to 240.0.0.0/4 via fxp0
>01300 divert 8668 ip from any to any via fxp0
>01400 deny log logamount 100 ip from 10.0.0.0/8 to any via fxp0
>01500 deny log logamount 100 ip from 172.16.0.0/12 to any via fxp0
>01600 deny log logamount 100 ip from 192.168.0.0/16 to any via fxp0
>01700 deny log logamount 100 ip from 0.0.0.0/8 to any via fxp0
>01800 deny log logamount 100 ip from 169.254.0.0/16 to any via fxp0
>01900 deny log logamount 100 ip from 192.0.2.0/24 to any via fxp0
>02000 deny log logamount 100 ip from 224.0.0.0/4 to any via fxp0
>02100 deny log logamount 100 ip from 240.0.0.0/4 to any via fxp0
><remaining omitted>
>
>My question is how come rule 00700 did not kick out the
>prober, rather falling to rule 01700??  I realize the log

Because the original packet was from 0.0.0.0 to YOUR_PUBLIC_IP
and natd (rule 1300) rewrite destination address YOUR_PUBLIC_IP
with your private IP address. You should have to find who sends
this kind of packets from your net to outside world, because
they are not very regular.

>amounts are limited, but how did rule 01700 get activated
>when rule 00700, seems to me, should have knocked out the
>packet?  Is this evidence of someone having broken into my
>FBSD router, as there are no other entries I've seen to
>other possible internal IP's, or was someone just lucky?
>
>Thanks.
>
>Walter
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

-- 
Regards,
Dancho Penev

More information about the freebsd-questions mailing list