ipfw question

William A. Mahaffey III wam at hiwaay.net
Sat Mar 28 15:23:04 UTC 2015 

On 03/28/15 10:19, The Lost Admin wrote:
> On Mar 28, 2015, at 11:00 AM, William A. Mahaffey III <wam at hiwaay.net> wrote:
>
>> On 03/28/15 09:49, The Lost Admin wrote:
>>> On Mar 28, 2015, at 10:49 AM, William A. Mahaffey III <wam at hiwaay.net> wrote:
>>>
>>>> On 03/28/15 09:37, The Lost Admin wrote:
>>>>> On Mar 28, 2015, at 10:32 AM, William A. Mahaffey III <wam at hiwaay.net> wrote:
>>>>>
>>>>>> On 03/28/15 09:13, The Lost Admin wrote:
>>>>>>>
>>>>>>> On Mar 27, 2015, at 11:39 PM, William A. Mahaffey III <wam at hiwaay.net> wrote:
>>>>>>>
>>>>>>>> On 03/24/15 22:27, William A. Mahaffey III wrote:
>>>>>>>>>
>>>>>>>>> I completed a full pkg upgrade & freebsd-update this A.M. & rebooted. I notice the following in my /var/log/security file:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Feb 20 09:52:49 kabini1 kernel: ipfw: 65500 Deny UDP 216.180.122.2:53 192.168.0.27:32830 in via re0
>>>>>>>>> [CUT]
>>>>>>>>>
>>>>>>>>> [root at kabini1, /etc, 10:26:29pm] 366 % ipfw show
>>>>>>>>> 00100 211446 127533786 allow ip from any to any via lo0
>>>>>>>>> 00200      0         0 deny ip from any to 127.0.0.0/8
>>>>>>>>> 00300      0         0 deny ip from 127.0.0.0/8 to any
>>>>>>>>> 00400      0         0 deny ip from any to ::1
>>>>>>>>> 00500      0         0 deny ip from ::1 to any
>>>>>>>>> 00600      0         0 allow ipv6-icmp from :: to ff02::/16
>>>>>>>>> 00700      0         0 allow ipv6-icmp from fe80::/10 to fe80::/10
>>>>>>>>> 00800      2       152 allow ipv6-icmp from fe80::/10 to ff02::/16
>>>>>>>>> 00900      0         0 allow ipv6-icmp from any to any ip6 icmp6types 1
>>>>>>>>> 01000      0         0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
>>>>>>>>> 01100      0         0 check-state
>>>>>>>>> 01200    371     38801 allow tcp from me to any established
>>>>>>>>> 01300 131125 100329380 allow tcp from me to any setup keep-state
>>>>>>>>> 01400  15375   1247143 allow udp from me to any keep-state
>>>>>>>>> 01500      0         0 allow icmp from me to any keep-state
>>>>>>>>> 01600      0         0 allow ipv6-icmp from me to any keep-state
>>>>>>>>> 01700      0         0 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
>>>>>>>>> 01800      0         0 allow udp from any 67 to me dst-port 68 in
>>>>>>>>> 01900      0         0 allow udp from any 67 to 255.255.255.255 dst-port 68 in
>>>>>>>>> 02000      0         0 allow udp from fe80::/10 to me dst-port 546 in
>>>>>>>>> 02100      0         0 allow icmp from any to any icmptypes 8
>>>>>>>>> 02200      0         0 allow ipv6-icmp from any to any ip6 icmp6types 128,129
>>>>>>>>> 02300   3390    189852 allow icmp from any to any icmptypes 3,4,11
>>>>>>>>> 02400      0         0 allow ipv6-icmp from any to any ip6 icmp6types 3
>>>>>>>>> 02500    164     12060 allow tcp from 192.168.0.0/24 to me
>>>>>>>>> 02600    729    139344 allow udp from 192.168.0.0/24 513 to 192.168.0.0/24 dst-port 513
>>>>>>>>> 65000   2079    233849 count ip from any to any
>>>>>>>>> 65100    334     58174 deny { tcp or udp } from any to any dst-port 111,137,138 in
>>>>>>>>> 65200    325    118875 deny { tcp or udp } from 192.168.0.0/24 to me
>>>>>>>>> 65300      0         0 deny ip from any to 255.255.255.255
>>>>>>>>> 65400      0         0 deny ip from any to 224.0.0.0/24 in
>>>>>>>>> 65500      0         0 deny udp from any to any dst-port 520 in
>>>>>>>>> 65500      0         0 deny tcp from any 80,443 to any dst-port 1024-65535 in
>>>>>>>>> 65500   1420     56800 deny log logamount 5000 ip from any to any
>>>>>>>>> 65535      0         0 deny ip from any to any
>>>>>>>>> [root at kabini1, /etc, 10:26:37pm] 367 %
>>>>>>>>>
>>>>>>>>
>>>>>>>> Anyone ? I'm over 5000 warnings, saw that in my messages file ? What gives here ?
>>>>>>>>
>>>>>>>> -- 
>>>>>>>>
>>>>>>> I could be wrong, but I think the 2nd column (1420) is the number of packets (log entries generated by that line) and the second column is the total bytes that those packets contained.
>>>>>>>
>>>>>>> The Lost Admin
>>>>>>> thelostadmin at gmail.com
>>>>>> Thanks for your reply. I think you are correct, but I don't think those are the problems here. After the last 'pkg upgrade' & freebsd-update, *something* is broadcasting to 224.0.0.22 which wasn't doing it before. I have had the above rules for months, & before the upgrade, nothing was trying to broadcast. Now something is & it is swamping ipfw logging to my messages file. Any clue what it is or how to find it ? TIA & thanks again.
>>>>>>
>>>>>> -- 
>>>>>>
>>>>>> 	William A. Mahaffey III
>>>>> I was answering the question about the 5000 log entries. I missed the original question.
>>>>>
>>>>> 224.0.0.22 is a multicast address used for IGMP (Internet Group Management Protocol). You probably                 upgraded something that has initiated some sort of multicast group request.
>>>>>
>>>>>
>>>> Hmmmmm .... OK, good by me. Any idea how to identify that something that is now broadcasting (which wasn't before) :-) ? TIA & thanks again.
>>>>
>>>> -- 
>>>>
>>>> 	William A. Mahaffey III
>>>>
>>>>   ----------------------------------------------------------------------
>>>>
>>>> 	"The M1 Garand is without doubt the finest implement of war
>>>> 	 ever devised by man."
>>>>                             -- Gen. George S. Patton Jr.
>>> Read the release notes of the things that got upgraded and see if any of them introduced multicast for something.
>>>
>>> Run a sniffer that is IGMP aware and see what’s going on with those packets. It’s probably a request to be added to a multicast group or an advertisement for one.
>>>
>> What sniffer could you suggest ? I am new to the *BSD's :-/ ....
>>
>> -- 
>>
>> 	William A. Mahaffey III
>>
>>   ----------------------------------------------------------------------
>>
>> 	"The M1 Garand is without doubt the finest implement of war
>> 	 ever devised by man."
>>                             -- Gen. George S. Patton Jr.
> Wireshark is pretty but requires X11. It also does a better job of making the output understandable.
>
> tcpdump should be included in the base system and is text so works without a GUI. You used to be able to take a tcpdump output file and feed it to Wireshark for viewing.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>

Very well, I have wireshark already installed (this is a desktop box), 
I'll poke around & see what I find. Thanks :-).

-- 

	William A. Mahaffey III

  ----------------------------------------------------------------------

	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                            -- Gen. George S. Patton Jr.

More information about the freebsd-questions mailing list