IPF Logging packets Every 2-10 Seconds.

Stephan Weaver stephanweaver at hotmail.com
Tue Jun 28 13:01:06 GMT 2005 

ok first off, i apologise.
second, thanks alot.

now, even if i disconnect my dsl modem and reconnect.
get a 'new' ip address from my isp.
i still get tons of packets.

Any way to source where this is originating from?


>From: "fbsd_user" <fbsd_user at a1poweruser.com>
>Reply-To: <fbsd_user at a1poweruser.com>
>To: "Stephan Weaver" 
><stephanweaver at hotmail.com>,<freebsd-questions at freebsd.org>
>Subject: RE: IPF Logging packets Every 2-10 Seconds.
>Date: Mon, 27 Jun 2005 13:28:29 -0400
>
>The log shows that it's all packets try to penetrate your firewall.
>This is normal public internet traffic sent by people trying to
>break into your system. Your firewall is doing its job of blocking
>this unwanted junk just like you want it to do. If you don't want to
>see this stuff in your log then remove the log keyword from your
>rules and it will stop logging that junk.
>
>-----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Stephan
>Weaver
>Sent: Monday, June 27, 2005 11:19 AM
>To: freebsd-questions at freebsd.org
>Subject: IPF Logging packets Every 2-10 Seconds.
>
>
>Hello list,
>
>My IPF Firewall System is logging packets almost every 2 - 10
>seconds.
>I would like to narrow this problem down.
>
>firewall# cat /etc/ipf.rules
>block in all
>block out all
>
>pass in quick on lo0 all
>pass out quick on lo0 all
>
>pass out quick on vr0 from any to any keep state
>
>pass in quick on vr1 all
>pass out quick on vr1 all
>
># Block all inbound traffic from non-routable or reserved address
>spaces
>block in log quick on vr0 from 192.168.0.0/16 to any   #RFC 1918
>private IP
>block in log quick on vr0 from 172.16.0.0/12 to any    #RFC 1918
>private IP
>block in log quick on vr0 from 10.0.0.0/8 to any       #RFC 1918
>private IP
>block in log quick on vr0 from 127.0.0.0/8 to any      #loopback
>block in log quick on vr0 from 0.0.0.0/8 to any        #loopback
>block in log quick on vr0 from 169.254.0.0/16 to any   #DHCP
>auto-config
>block in log quick on vr0 from 192.0.2.0/24 to any     #reserved for
>doc's
>block in log quick on vr0 from 204.152.64.0/23 to any  #Sun cluster
>interconnect
>block in log quick on vr0 from 224.0.0.0/3 to any       #Class D & E
>multicast
>
># Block frags
>block in quick on vr0 all with frags
># Block short tcp packets
>block in quick on vr0 proto tcp all with short
># Block source routed packets
>block in quick on vr0 all with opt lsrr
>block in quick on vr0 all with opt ssrr
># Block nmap OS fingerprint attempts
># Log first occurrence of these so I can get their IP address
>block in log first quick on vr0 proto tcp all flags FUP
>block in log first quick on vr0 proto tcp all flags SF/SFRA
>block in log first quick on vr0 proto tcp all flags /SFRA
>block in log first quick on vr0 proto tcp all flags F/SFRA
>block in log first quick on vr0 proto tcp all flags U/SFRAU
>block in log first quick on vr0 proto tcp all flags P
># Block anything with special options
>block in quick on vr0 all with ipopts
>
># Block public pings
>block in log quick on vr0 proto icmp all icmp-type 8
>
>
># TSTT NameServers
>pass in quick on vr0 proto tcp/udp from 196.3.132.1 to any keep
>state
>pass in quick on vr0 proto tcp/udp from 196.3.132.4 to any keep
>state
>
># Block and log only first occurrence of all remaining traffic
># coming into the firewall. The logging of only the first
># occurrence stops a .denial of service. attack targeted
># at filling up your log file space.
># This rule enforces the block all by default logic.
>block in log first quick on vr0 all
>
>
><SNIP>
>
>firewall# tail -f /var/log/ipfilter.log
>27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:13:54.736606 vr0 @0:27 b 138.217.177.128,2840 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:03.585530 vr0 @0:27 b 67.33.99.114,50895 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:06.598363 vr0 @0:27 b 67.33.99.114,50895 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:09.699265 vr0 @0:27 b 200.108.28.115,3053 ->
>192.168.1.1,445 PR tcp len 20 48 -S IN
>27/06/2005 11:14:12.515511 vr0 @0:27 b 67.33.99.114,50895 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:12.670997 vr0 @0:27 b 200.108.28.115,3053 ->
>192.168.1.1,445 PR tcp len 20 48 -S IN
>27/06/2005 11:14:14.470027 vr0 @0:27 b 218.212.63.91,1425 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:17.432263 vr0 @0:27 b 218.212.63.91,1425 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:23.439618 vr0 @0:27 b 218.212.63.91,1425 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:29.633637 vr0 @0:27 b 70.186.121.59,4675 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:30.068091 vr0 @0:27 b 138.217.177.128,2905 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:32.592810 vr0 @0:27 b 70.186.121.59,4675 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:32.954266 vr0 @0:27 b 138.217.177.128,2905 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:38.859627 vr0 @0:27 b 70.186.121.59,4675 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:14:38.993186 vr0 @0:27 b 138.217.177.128,2905 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:03.372975 vr0 @0:27 b 138.217.177.128,2957 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:06.350342 vr0 @0:27 b 138.217.177.128,2957 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:12.289440 vr0 @0:27 b 138.217.177.128,2957 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:14.453865 vr0 @0:27 b 138.217.177.128,2971 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:17.418664 vr0 @0:27 b 138.217.177.128,2971 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:23.462695 vr0 @0:27 b 138.217.177.128,2971 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:53.929698 vr0 @0:27 b 81.18.10.245,3183 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:54.745636 vr0 @0:27 b 70.176.85.4,2263 ->
>192.168.1.1,16478
>PR tcp len 20 48 -S IN
>27/06/2005 11:15:55.988928 vr0 @0:27 b 81.18.10.245,3183 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:15:58.693653 vr0 @0:27 b 138.217.177.128,3036 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:16:01.582810 vr0 @0:27 b 138.217.177.128,3036 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>27/06/2005 11:16:02.423821 vr0 @0:27 b 81.18.10.245,3183 ->
>192.168.1.1,16478 PR tcp len 20 48 -S IN
>
>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today it's
>FREE!
>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"
>

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

More information about the freebsd-questions mailing list