On 2009-04-24, Aner Perez <[email protected]> wrote: > Hi, > > We have an older OpenBSD 3.9 firewall which we will be upgrading to 4.5 and > as a part of the upgrade, we will be locking > down our outgoing connections. As a first step, we have added some extra > rules to log outgoing connections that are not > specifically allowed by our current rule set. > > While monitoring the pflog output, I occasionally see output that looks like > this: > > Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 > > 73.243.0.0: at-#0 18 > Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0 > > 73.37.0.0: at-#0 21 > Apr 24 09:49:46.420901 rule 150/(match) pass in on fxp1: 108.6.96.0 > > 73.126.0.0: at-#0 15 > Apr 24 09:49:46.420990 rule 150/(match) pass in on fxp1: 85.8.96.0 > > 73.229.0.0: at-#0 18 > Apr 24 09:49:46.546277 rule 150/(match) pass in on fxp1: 106.8.96.0 > > 73.229.0.0: at-#0 96 > Apr 24 09:49:46.551653 rule 150/(match) pass in on fxp1: 55.4.96.0 > > 73.174.0.0: at-#0 99 > > What first jumps out at me is the IP addresses which are not part of our > network. The second thing that jumps out is > the "at-#0 18" notation. What does this mean? I'm assuming the number at > the end is the packet size. What is the > "at-#0"? Has anybody seen traffic like this? Should I be worried?
looks like appletalk. (grep at- /usr/src/usr.sbin/tcpdump/*). > Also, this output comes from "tcpdump -n -e -ttt -i pflog0 ifname fxp1". Is > there a way I can see the MAC address on > these logged connections without doing a tcpdump on the physical interface? I don't think so, but you may get some additional clues if you increase the snaplen and view the packet data, maybe try "-s 1500 -vX".
