IPF Logging packets Every 2-10 Seconds.

fbsd_user fbsd_user at a1poweruser.com
Mon Jun 27 19:53:55 GMT 2005 

No you are wrong wrong.

Rule number 27 in the incore table, not in your text source rule
file.

Use ipfstat -oihn to list the incore rules table.


-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Stephan
Weaver
Sent: Monday, June 27, 2005 3:45 PM
To: fbsd_user at a1poweruser.com; freebsd-questions at freebsd.org
Subject: RE: IPF Logging packets Every 2-10 Seconds.


No you are wrong.
if you look at the 1st log line.
eg. >27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 ->
192.168.1.1,16478 PR tcp len 20 48 -S IN

that log refers to RULE NUMBER 27, which in my RULSET, line 27
dosen't have
the word log.
so it must be something else.


>From: "fbsd_user" <fbsd_user at a1poweruser.com>
>Reply-To: <fbsd_user at a1poweruser.com>
>To: "Stephan Weaver"
><stephanweaver at hotmail.com>,<freebsd-questions at freebsd.org>
>Subject: RE: IPF Logging packets Every 2-10 Seconds.
>Date: Mon, 27 Jun 2005 13:28:29 -0400
>
>The log shows that it's all packets try to penetrate your firewall.
>This is normal public internet traffic sent by people trying to
>break into your system. Your firewall is doing its job of blocking
>this unwanted junk just like you want it to do. If you don't want
to
>see this stuff in your log then remove the log keyword from your
>rules and it will stop logging that junk.
>
>-----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Stephan
>Weaver
>Sent: Monday, June 27, 2005 11:19 AM
>To: freebsd-questions at freebsd.org
>Subject: IPF Logging packets Every 2-10 Seconds.
>
>
>Hello list,
>
>My IPF Firewall System is logging packets almost every 2 - 10
>seconds.
>I would like to narrow this problem down.
>
>firewall# cat /etc/ipf.rules
>block in all
>block out all
>
>pass in quick on lo0 all
>pass out quick on lo0 all
>
>pass out quick on vr0 from any to any keep state
>
>pass in quick on vr1 all
>pass out quick on vr1 all
>
># Block all inbound traffic from non-routable or reserved address
>spaces
>block in log quick on vr0 from 192.168.0.0/16 to any   #RFC 1918
>private IP
>block in log quick on vr0 from 172.16.0.0/12 to any    #RFC 1918
>private IP
>block in log quick on vr0 from 10.0.0.0/8 to any       #RFC 1918
>private IP
>block in log quick on vr0 from 127.0.0.0/8 to any      #loopback
>block in log quick on vr0 from 0.0.0.0/8 to any        #loopback
>block in log quick on vr0 from 169.254.0.0/16 to any   #DHCP
>auto-config
>block in log quick on vr0 from 192.0.2.0/24 to any     #reserved
for
>doc's
>block in log quick on vr0 from 204.152.64.0/23 to any  #Sun cluster
>interconnect
>block in log quick on vr0 from 224.0.0.0/3 to any       #Class D &
E
>multicast
>
># Block frags
>block in quick on vr0 all with frags
># Block short tcp packets
>block in quick on vr0 proto tcp all with short
># Block source routed packets
>block in quick on vr0 all with opt lsrr
>block in quick on vr0 all with opt ssrr
># Block nmap OS fingerprint attempts
># Log first occurrence of these so I can get their IP address
>block in log first quick on vr0 proto tcp all flags FUP
>block in log first quick on vr0 proto tcp all flags SF/SFRA
>block in log first quick on vr0 proto tcp all flags /SFRA
>block in log first quick on vr0 proto tcp all flags F/SFRA
>block in log first quick on vr0 proto tcp all flags U/SFRAU
>block in log first quick on vr0 proto tcp all flags P
># Block anything with special options
>block in quick on vr0 all with ipopts
>
># Block public pings
>block in log quick on vr0 proto icmp all icmp-type 8
>
>
># TSTT NameServers
>pass in quick on vr0 proto tcp/udp from 196.3.132.1 to any keep
>state
>pass in quick on vr0 proto tcp/udp from 196.3.132.4 to any keep
>state
>
># Block and log only first occurrence of all remaining traffic
># coming into the firewall. The logging of only the first
># occurrence stops a .denial of service. attack targeted
># at filling up your log file space.
># This rule enforces the block all by default logic.
>block in log first quick on vr0 all
>
>
><SNIP>
>
>firewall# tail -f /var/log/ipfilter.log
>27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:13:54.736606 vr0 @0:27 b 138.217.177.128,2840 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:03.585530 vr0 @0:27 b 67.33.99.114,50895 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:06.598363 vr0 @0:27 b 67.33.99.114,50895 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:09.699265 vr0 @0:27 b 200.108.28.115,3053 ->
>192.168.1.1,445 PR tcp len 20 48 -S IN
>27/06/2005 11:14:12.515511 vr0 @0:27 b 67.33.99.114,50895 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:12.670997 vr0 @0:27 b 200.108.28.115,3053 ->
>192.168.1.1,445 PR tcp len 20 48 -S IN
>27/06/2005 11:14:14.470027 vr0 @0:27 b 218.212.63.91,1425 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:17.432263 vr0 @0:27 b 218.212.63.91,1425 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:23.439618 vr0 @0:27 b 218.212.63.91,1425 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:29.633637 vr0 @0:27 b 70.186.121.59,4675 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:30.068091 vr0 @0:27 b 138.217.177.128,2905 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:32.592810 vr0 @0:27 b 70.186.121.59,4675 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:32.954266 vr0 @0:27 b 138.217.177.128,2905 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:38.859627 vr0 @0:27 b 70.186.121.59,4675 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:38.993186 vr0 @0:27 b 138.217.177.128,2905 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:03.372975 vr0 @0:27 b 138.217.177.128,2957 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:06.350342 vr0 @0:27 b 138.217.177.128,2957 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:12.289440 vr0 @0:27 b 138.217.177.128,2957 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:14.453865 vr0 @0:27 b 138.217.177.128,2971 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:17.418664 vr0 @0:27 b 138.217.177.128,2971 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:23.462695 vr0 @0:27 b 138.217.177.128,2971 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:53.929698 vr0 @0:27 b 81.18.10.245,3183 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:54.745636 vr0 @0:27 b 70.176.85.4,2263 ->
>192.168.1.1,16478
>PR tcp len 20 48 -S IN
>27/06/2005 11:15:55.988928 vr0 @0:27 b 81.18.10.245,3183 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:58.693653 vr0 @0:27 b 138.217.177.128,3036 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:16:01.582810 vr0 @0:27 b 138.217.177.128,3036 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:16:02.423821 vr0 @0:27 b 81.18.10.245,3183 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>
>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today it's
>FREE!
>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"
>

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's
FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list