Hi,
We have an older OpenBSD 3.9 firewall which we will be upgrading to 4.5 and as a part of the upgrade, we will be locking
down our outgoing connections. As a first step, we have added some extra rules to log outgoing connections that are not
specifically allowed by our current rule set.
While monitoring the pflog output, I occasionally see output that looks like
this:
Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 >
73.243.0.0: at-#0 18
Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0 >
73.37.0.0: at-#0 21
Apr 24 09:49:46.420901 rule 150/(match) pass in on fxp1: 108.6.96.0 >
73.126.0.0: at-#0 15
Apr 24 09:49:46.420990 rule 150/(match) pass in on fxp1: 85.8.96.0 >
73.229.0.0: at-#0 18
Apr 24 09:49:46.546277 rule 150/(match) pass in on fxp1: 106.8.96.0 >
73.229.0.0: at-#0 96
Apr 24 09:49:46.551653 rule 150/(match) pass in on fxp1: 55.4.96.0 >
73.174.0.0: at-#0 99
What first jumps out at me is the IP addresses which are not part of our network. The second thing that jumps out is
the "at-#0 18" notation. What does this mean? I'm assuming the number at the end is the packet size. What is the
"at-#0"? Has anybody seen traffic like this? Should I be worried?
Also, this output comes from "tcpdump -n -e -ttt -i pflog0 ifname fxp1". Is there a way I can see the MAC address on
these logged connections without doing a tcpdump on the physical interface?
This is on "3.9 GENERIC#617 i386" with pf turned on, NTP server enabled and an
OpenVPN server running.
- Aner
--
Aner Perez
NCS Technologies, Inc
