RE: IPF Logging packets Every 2-10 Seconds.
if you carefully read this log line. 28/06/2005 15:59:23.743138 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60271 PR tcp len 20 40 -AF IN what it is saying, 201.238.78.59 on port 4550 wants to make a connection INTO my network. now it is making this connection because one my my LAN users, is accssing that address. eg, a Lan user types http://201.238.78.59:1080 [webcam port] opens up the live view in the webcam. and in a response to that, the webcam sends a data/packets back to my LAN using the webcam data port instead. [4550] From: fbsd_user [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED] Subject: RE: IPF Logging packets Every 2-10 Seconds. Date: Tue, 28 Jun 2005 16:40:48 -0400 When you list the incore rules is rule number 28 the block all rule marking the end of the inbound section of your rules file? If yes, then you need to add a new pass in rule to allow port 4550 in. Then the remote system will be able to access your webcam server on the firewall box. The short explanation about what you are doing makes all the difference in the kind of answer you get back. Should have said that a long time ago. This is different question that what the email subject says. -Original Message- From: Stephan Weaver [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 4:06 PM To: [EMAIL PROTECTED] Subject: RE: IPF Logging packets Every 2-10 Seconds. i Do understand what you are saying, but i BELEIVE my ruleset is in the wrong order or something is WRONG. look at this LOG for example 28/06/2005 15:59:23.743138 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60271 PR tcp len 20 40 -AF IN 28/06/2005 15:59:23.823647 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60272 PR tcp len 20 40 -AF IN 28/06/2005 15:59:24.283051 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60273 PR tcp len 20 40 -AF IN 28/06/2005 15:59:24.283423 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60269 PR tcp len 20 40 -AF IN 28/06/2005 15:59:24.687274 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60271 PR tcp len 20 40 -AF IN 28/06/2005 15:59:24.865697 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60273 PR tcp len 20 40 -AF IN right, now 201.238.78.59 is MY OTHER REMOTE server! and my WEBCAM software runs on port 4550. now that is being logged because, one of my lan users, is accessing 201.238.78.59:4550 via a webpage. but it shows in the logs. something is WRONG. i know what you are saying, but listen what I am saying _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPF Logging packets Every 2-10 Seconds.
So the answer is still the same. You have to add rules to your firewall to allow that new service in and out of your firewall. Come on guy you are making this much harder that it really is. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stephan Weaver Sent: Wednesday, June 29, 2005 9:37 AM To: [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Subject: RE: IPF Logging packets Every 2-10 Seconds. if you carefully read this log line. 28/06/2005 15:59:23.743138 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60271 PR tcp len 20 40 -AF IN what it is saying, 201.238.78.59 on port 4550 wants to make a connection INTO my network. now it is making this connection because one my my LAN users, is accssing that address. eg, a Lan user types http://201.238.78.59:1080 [webcam port] opens up the live view in the webcam. and in a response to that, the webcam sends a data/packets back to my LAN using the webcam data port instead. [4550] From: fbsd_user [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED] Subject: RE: IPF Logging packets Every 2-10 Seconds. Date: Tue, 28 Jun 2005 16:40:48 -0400 When you list the incore rules is rule number 28 the block all rule marking the end of the inbound section of your rules file? If yes, then you need to add a new pass in rule to allow port 4550 in. Then the remote system will be able to access your webcam server on the firewall box. The short explanation about what you are doing makes all the difference in the kind of answer you get back. Should have said that a long time ago. This is different question that what the email subject says. -Original Message- From: Stephan Weaver [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 4:06 PM To: [EMAIL PROTECTED] Subject: RE: IPF Logging packets Every 2-10 Seconds. i Do understand what you are saying, but i BELEIVE my ruleset is in the wrong order or something is WRONG. look at this LOG for example 28/06/2005 15:59:23.743138 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60271 PR tcp len 20 40 -AF IN 28/06/2005 15:59:23.823647 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60272 PR tcp len 20 40 -AF IN 28/06/2005 15:59:24.283051 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60273 PR tcp len 20 40 -AF IN 28/06/2005 15:59:24.283423 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60269 PR tcp len 20 40 -AF IN 28/06/2005 15:59:24.687274 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60271 PR tcp len 20 40 -AF IN 28/06/2005 15:59:24.865697 vr0 @0:28 b 201.238.78.59,4550 - 192.168.1.1,60273 PR tcp len 20 40 -AF IN right, now 201.238.78.59 is MY OTHER REMOTE server! and my WEBCAM software runs on port 4550. now that is being logged because, one of my lan users, is accessing 201.238.78.59:4550 via a webpage. but it shows in the logs. something is WRONG. i know what you are saying, but listen what I am saying _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPF Logging packets Every 2-10 Seconds.
ok first off, i apologise. second, thanks alot. now, even if i disconnect my dsl modem and reconnect. get a 'new' ip address from my isp. i still get tons of packets. Any way to source where this is originating from? From: fbsd_user [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED],freebsd-questions@freebsd.org Subject: RE: IPF Logging packets Every 2-10 Seconds. Date: Mon, 27 Jun 2005 13:28:29 -0400 The log shows that it's all packets try to penetrate your firewall. This is normal public internet traffic sent by people trying to break into your system. Your firewall is doing its job of blocking this unwanted junk just like you want it to do. If you don't want to see this stuff in your log then remove the log keyword from your rules and it will stop logging that junk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stephan Weaver Sent: Monday, June 27, 2005 11:19 AM To: freebsd-questions@freebsd.org Subject: IPF Logging packets Every 2-10 Seconds. Hello list, My IPF Firewall System is logging packets almost every 2 - 10 seconds. I would like to narrow this problem down. firewall# cat /etc/ipf.rules block in all block out all pass in quick on lo0 all pass out quick on lo0 all pass out quick on vr0 from any to any keep state pass in quick on vr1 all pass out quick on vr1 all # Block all inbound traffic from non-routable or reserved address spaces block in log quick on vr0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on vr0 from 172.16.0.0/12 to any#RFC 1918 private IP block in log quick on vr0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on vr0 from 127.0.0.0/8 to any #loopback block in log quick on vr0 from 0.0.0.0/8 to any#loopback block in log quick on vr0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on vr0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on vr0 from 204.152.64.0/23 to any #Sun cluster interconnect block in log quick on vr0 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on vr0 all with frags # Block short tcp packets block in quick on vr0 proto tcp all with short # Block source routed packets block in quick on vr0 all with opt lsrr block in quick on vr0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on vr0 proto tcp all flags FUP block in log first quick on vr0 proto tcp all flags SF/SFRA block in log first quick on vr0 proto tcp all flags /SFRA block in log first quick on vr0 proto tcp all flags F/SFRA block in log first quick on vr0 proto tcp all flags U/SFRAU block in log first quick on vr0 proto tcp all flags P # Block anything with special options block in quick on vr0 all with ipopts # Block public pings block in log quick on vr0 proto icmp all icmp-type 8 # TSTT NameServers pass in quick on vr0 proto tcp/udp from 196.3.132.1 to any keep state pass in quick on vr0 proto tcp/udp from 196.3.132.4 to any keep state # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops a .denial of service. attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on vr0 all SNIP firewall# tail -f /var/log/ipfilter.log 27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:13:54.736606 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:03.585530 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:06.598363 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:09.699265 vr0 @0:27 b 200.108.28.115,3053 - 192.168.1.1,445 PR tcp len 20 48 -S IN 27/06/2005 11:14:12.515511 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:12.670997 vr0 @0:27 b 200.108.28.115,3053 - 192.168.1.1,445 PR tcp len 20 48 -S IN 27/06/2005 11:14:14.470027 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:17.432263 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:23.439618 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:29.633637 vr0 @0:27 b 70.186.121.59,4675 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:30.068091 vr0 @0:27 b 138.217.177.128,2905 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:32.592810 vr0 @0:27 b 70.186.121.59,4675 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:32.954266 vr0 @0:27 b 138.217.177.128,2905 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:38.859627 vr0 @0:27 b 70.186.121.59,4675 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06
RE: IPF Logging packets Every 2-10 Seconds.
Like is told you before, all that junk you see hitting your firewall is all attack or probing packets. This is normal background noise. You are not being attacked as a specific ip address target and getting a different ip address is not going to stop this background noise. All most 98 percent of the attackers are script kiddies. Their attacks are all most totally based on indiscriminate rolling through a range of sequential IP address. (IE: They never use DNS to lookup your domain name.) You were found by plain bad luck. They run scripts that only address the know ports listened on by those services. You use this knowledge to defend against this type of attack. The simplest defense is to change the port numbers these services use. The /etc/services is where SSH, Telnet, and FTP port numbers are defined and where you would change them at. For Apache web server you specify the access port number in httpd.conf definitions. Remote clients who want to access your public services on the alternate port number will have to enter the alternate port number as part of the login command. After setting up alternate port numbers you can have your firewall log all access to ports 21,22,23,or 80 and report the abuse to the ISP owner of the sending IP address using the FreeBSD port ppars-1.0 Or if you don't want to use the automated Abuse reporting system you can take the sending IP address from your firewall log and do manual whois command to find the ISP owner of the offending IP address along with the ISP's abuse reporting email address and send your own email to them about their client sending you attack packets. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stephan Weaver Sent: Tuesday, June 28, 2005 9:01 AM To: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: IPF Logging packets Every 2-10 Seconds. ok first off, i apologise. second, thanks alot. now, even if i disconnect my dsl modem and reconnect. get a 'new' ip address from my isp. i still get tons of packets. Any way to source where this is originating from? From: fbsd_user [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED],freebsd-questions@freebsd.org Subject: RE: IPF Logging packets Every 2-10 Seconds. Date: Mon, 27 Jun 2005 13:28:29 -0400 The log shows that it's all packets try to penetrate your firewall. This is normal public internet traffic sent by people trying to break into your system. Your firewall is doing its job of blocking this unwanted junk just like you want it to do. If you don't want to see this stuff in your log then remove the log keyword from your rules and it will stop logging that junk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stephan Weaver Sent: Monday, June 27, 2005 11:19 AM To: freebsd-questions@freebsd.org Subject: IPF Logging packets Every 2-10 Seconds. Hello list, My IPF Firewall System is logging packets almost every 2 - 10 seconds. I would like to narrow this problem down. firewall# cat /etc/ipf.rules block in all block out all pass in quick on lo0 all pass out quick on lo0 all pass out quick on vr0 from any to any keep state pass in quick on vr1 all pass out quick on vr1 all # Block all inbound traffic from non-routable or reserved address spaces block in log quick on vr0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on vr0 from 172.16.0.0/12 to any#RFC 1918 private IP block in log quick on vr0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on vr0 from 127.0.0.0/8 to any #loopback block in log quick on vr0 from 0.0.0.0/8 to any#loopback block in log quick on vr0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on vr0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on vr0 from 204.152.64.0/23 to any #Sun cluster interconnect block in log quick on vr0 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on vr0 all with frags # Block short tcp packets block in quick on vr0 proto tcp all with short # Block source routed packets block in quick on vr0 all with opt lsrr block in quick on vr0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on vr0 proto tcp all flags FUP block in log first quick on vr0 proto tcp all flags SF/SFRA block in log first quick on vr0 proto tcp all flags /SFRA block in log first quick on vr0 proto tcp all flags F/SFRA block in log first quick on vr0 proto tcp all flags U/SFRAU block in log first quick on vr0 proto tcp all flags P # Block anything with special options block in quick on vr0 all with ipopts # Block public pings block in log quick on vr0 proto icmp all icmp-type 8 # TSTT NameServers pass in quick on vr0 proto tcp/udp from 196.3.132.1 to any keep state pass in quick on vr0 proto tcp/udp from 196.3.132.4 to any keep state
RE: IPF Logging packets Every 2-10 Seconds.
The log shows that it's all packets try to penetrate your firewall. This is normal public internet traffic sent by people trying to break into your system. Your firewall is doing its job of blocking this unwanted junk just like you want it to do. If you don't want to see this stuff in your log then remove the log keyword from your rules and it will stop logging that junk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stephan Weaver Sent: Monday, June 27, 2005 11:19 AM To: freebsd-questions@freebsd.org Subject: IPF Logging packets Every 2-10 Seconds. Hello list, My IPF Firewall System is logging packets almost every 2 - 10 seconds. I would like to narrow this problem down. firewall# cat /etc/ipf.rules block in all block out all pass in quick on lo0 all pass out quick on lo0 all pass out quick on vr0 from any to any keep state pass in quick on vr1 all pass out quick on vr1 all # Block all inbound traffic from non-routable or reserved address spaces block in log quick on vr0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on vr0 from 172.16.0.0/12 to any#RFC 1918 private IP block in log quick on vr0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on vr0 from 127.0.0.0/8 to any #loopback block in log quick on vr0 from 0.0.0.0/8 to any#loopback block in log quick on vr0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on vr0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on vr0 from 204.152.64.0/23 to any #Sun cluster interconnect block in log quick on vr0 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on vr0 all with frags # Block short tcp packets block in quick on vr0 proto tcp all with short # Block source routed packets block in quick on vr0 all with opt lsrr block in quick on vr0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on vr0 proto tcp all flags FUP block in log first quick on vr0 proto tcp all flags SF/SFRA block in log first quick on vr0 proto tcp all flags /SFRA block in log first quick on vr0 proto tcp all flags F/SFRA block in log first quick on vr0 proto tcp all flags U/SFRAU block in log first quick on vr0 proto tcp all flags P # Block anything with special options block in quick on vr0 all with ipopts # Block public pings block in log quick on vr0 proto icmp all icmp-type 8 # TSTT NameServers pass in quick on vr0 proto tcp/udp from 196.3.132.1 to any keep state pass in quick on vr0 proto tcp/udp from 196.3.132.4 to any keep state # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops a .denial of service. attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on vr0 all SNIP firewall# tail -f /var/log/ipfilter.log 27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:13:54.736606 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:03.585530 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:06.598363 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:09.699265 vr0 @0:27 b 200.108.28.115,3053 - 192.168.1.1,445 PR tcp len 20 48 -S IN 27/06/2005 11:14:12.515511 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:12.670997 vr0 @0:27 b 200.108.28.115,3053 - 192.168.1.1,445 PR tcp len 20 48 -S IN 27/06/2005 11:14:14.470027 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:17.432263 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:23.439618 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:29.633637 vr0 @0:27 b 70.186.121.59,4675 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:30.068091 vr0 @0:27 b 138.217.177.128,2905 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:32.592810 vr0 @0:27 b 70.186.121.59,4675 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:32.954266 vr0 @0:27 b 138.217.177.128,2905 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:38.859627 vr0 @0:27 b 70.186.121.59,4675 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:38.993186 vr0 @0:27 b 138.217.177.128,2905 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:03.372975 vr0 @0:27 b 138.217.177.128,2957 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:06.350342 vr0 @0:27 b 138.217.177.128,2957 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:12.289440 vr0 @0:27 b 138.217.177.128,2957 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:15:14.453865 vr0 @0:27 b
Re: IPF Logging packets Every 2-10 Seconds.
in message [EMAIL PROTECTED], wrote Stephan Weaver thusly... firewall# tail -f /var/log/ipfilter.log 27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:13:54.736606 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN I was going to parse the logs, but the forced line breaks prevent me. When you (in general) are posting system messages, errors such, please keep the line breaks/tabs as they appear in the original message. - Parv -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPF Logging packets Every 2-10 Seconds.
No you are wrong. if you look at the 1st log line. eg. 27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN that log refers to RULE NUMBER 27, which in my RULSET, line 27 dosen't have the word log. so it must be something else. From: fbsd_user [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED],freebsd-questions@freebsd.org Subject: RE: IPF Logging packets Every 2-10 Seconds. Date: Mon, 27 Jun 2005 13:28:29 -0400 The log shows that it's all packets try to penetrate your firewall. This is normal public internet traffic sent by people trying to break into your system. Your firewall is doing its job of blocking this unwanted junk just like you want it to do. If you don't want to see this stuff in your log then remove the log keyword from your rules and it will stop logging that junk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stephan Weaver Sent: Monday, June 27, 2005 11:19 AM To: freebsd-questions@freebsd.org Subject: IPF Logging packets Every 2-10 Seconds. Hello list, My IPF Firewall System is logging packets almost every 2 - 10 seconds. I would like to narrow this problem down. firewall# cat /etc/ipf.rules block in all block out all pass in quick on lo0 all pass out quick on lo0 all pass out quick on vr0 from any to any keep state pass in quick on vr1 all pass out quick on vr1 all # Block all inbound traffic from non-routable or reserved address spaces block in log quick on vr0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on vr0 from 172.16.0.0/12 to any#RFC 1918 private IP block in log quick on vr0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on vr0 from 127.0.0.0/8 to any #loopback block in log quick on vr0 from 0.0.0.0/8 to any#loopback block in log quick on vr0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on vr0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on vr0 from 204.152.64.0/23 to any #Sun cluster interconnect block in log quick on vr0 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on vr0 all with frags # Block short tcp packets block in quick on vr0 proto tcp all with short # Block source routed packets block in quick on vr0 all with opt lsrr block in quick on vr0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on vr0 proto tcp all flags FUP block in log first quick on vr0 proto tcp all flags SF/SFRA block in log first quick on vr0 proto tcp all flags /SFRA block in log first quick on vr0 proto tcp all flags F/SFRA block in log first quick on vr0 proto tcp all flags U/SFRAU block in log first quick on vr0 proto tcp all flags P # Block anything with special options block in quick on vr0 all with ipopts # Block public pings block in log quick on vr0 proto icmp all icmp-type 8 # TSTT NameServers pass in quick on vr0 proto tcp/udp from 196.3.132.1 to any keep state pass in quick on vr0 proto tcp/udp from 196.3.132.4 to any keep state # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops a .denial of service. attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on vr0 all SNIP firewall# tail -f /var/log/ipfilter.log 27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:13:54.736606 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:03.585530 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:06.598363 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:09.699265 vr0 @0:27 b 200.108.28.115,3053 - 192.168.1.1,445 PR tcp len 20 48 -S IN 27/06/2005 11:14:12.515511 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:12.670997 vr0 @0:27 b 200.108.28.115,3053 - 192.168.1.1,445 PR tcp len 20 48 -S IN 27/06/2005 11:14:14.470027 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:17.432263 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:23.439618 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:29.633637 vr0 @0:27 b 70.186.121.59,4675 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:30.068091 vr0 @0:27 b 138.217.177.128,2905 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:32.592810 vr0 @0:27 b 70.186.121.59,4675 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:32.954266 vr0 @0:27 b 138.217.177.128,2905 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:38.859627 vr0 @0:27 b
RE: IPF Logging packets Every 2-10 Seconds.
No you are wrong wrong. Rule number 27 in the incore table, not in your text source rule file. Use ipfstat -oihn to list the incore rules table. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stephan Weaver Sent: Monday, June 27, 2005 3:45 PM To: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: IPF Logging packets Every 2-10 Seconds. No you are wrong. if you look at the 1st log line. eg. 27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN that log refers to RULE NUMBER 27, which in my RULSET, line 27 dosen't have the word log. so it must be something else. From: fbsd_user [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED],freebsd-questions@freebsd.org Subject: RE: IPF Logging packets Every 2-10 Seconds. Date: Mon, 27 Jun 2005 13:28:29 -0400 The log shows that it's all packets try to penetrate your firewall. This is normal public internet traffic sent by people trying to break into your system. Your firewall is doing its job of blocking this unwanted junk just like you want it to do. If you don't want to see this stuff in your log then remove the log keyword from your rules and it will stop logging that junk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stephan Weaver Sent: Monday, June 27, 2005 11:19 AM To: freebsd-questions@freebsd.org Subject: IPF Logging packets Every 2-10 Seconds. Hello list, My IPF Firewall System is logging packets almost every 2 - 10 seconds. I would like to narrow this problem down. firewall# cat /etc/ipf.rules block in all block out all pass in quick on lo0 all pass out quick on lo0 all pass out quick on vr0 from any to any keep state pass in quick on vr1 all pass out quick on vr1 all # Block all inbound traffic from non-routable or reserved address spaces block in log quick on vr0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on vr0 from 172.16.0.0/12 to any#RFC 1918 private IP block in log quick on vr0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on vr0 from 127.0.0.0/8 to any #loopback block in log quick on vr0 from 0.0.0.0/8 to any#loopback block in log quick on vr0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on vr0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on vr0 from 204.152.64.0/23 to any #Sun cluster interconnect block in log quick on vr0 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on vr0 all with frags # Block short tcp packets block in quick on vr0 proto tcp all with short # Block source routed packets block in quick on vr0 all with opt lsrr block in quick on vr0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on vr0 proto tcp all flags FUP block in log first quick on vr0 proto tcp all flags SF/SFRA block in log first quick on vr0 proto tcp all flags /SFRA block in log first quick on vr0 proto tcp all flags F/SFRA block in log first quick on vr0 proto tcp all flags U/SFRAU block in log first quick on vr0 proto tcp all flags P # Block anything with special options block in quick on vr0 all with ipopts # Block public pings block in log quick on vr0 proto icmp all icmp-type 8 # TSTT NameServers pass in quick on vr0 proto tcp/udp from 196.3.132.1 to any keep state pass in quick on vr0 proto tcp/udp from 196.3.132.4 to any keep state # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops a .denial of service. attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on vr0 all SNIP firewall# tail -f /var/log/ipfilter.log 27/06/2005 11:13:48.699874 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:13:54.736606 vr0 @0:27 b 138.217.177.128,2840 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:03.585530 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:06.598363 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:09.699265 vr0 @0:27 b 200.108.28.115,3053 - 192.168.1.1,445 PR tcp len 20 48 -S IN 27/06/2005 11:14:12.515511 vr0 @0:27 b 67.33.99.114,50895 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:12.670997 vr0 @0:27 b 200.108.28.115,3053 - 192.168.1.1,445 PR tcp len 20 48 -S IN 27/06/2005 11:14:14.470027 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:17.432263 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:23.439618 vr0 @0:27 b 218.212.63.91,1425 - 192.168.1.1,16478 PR tcp len 20 48 -S IN 27/06/2005 11:14:29.633637 vr0 @0:27 b 70.186.121.59,4675
