From owner-freebsd-security Tue Aug 3 13:21:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from garlic.acadiau.ca (garlic.acadiau.ca [131.162.2.48]) by hub.freebsd.org (Postfix) with ESMTP id 8418814D4E for ; Tue, 3 Aug 1999 13:21:45 -0700 (PDT) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon (dragon.acadiau.ca [131.162.200.56]) by garlic.acadiau.ca (8.8.5/8.8.5) with ESMTP id RAA13944 for ; Tue, 3 Aug 1999 17:21:23 -0300 (ADT) Date: Tue, 3 Aug 1999 17:21:22 -0300 (ADT) From: Michael Richards <026809r@dragon.acadiau.ca> X-Sender: 026809r@dragon To: security@freebsd.org Subject: Odd ICMP packets being logged Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. I'm seeing some odd packets being logged via my ipf. I've looked around but not really found any good resources on ipfilter/ipnat. I can't find this documented: 03/08/1999 17:03:03.370491 vx0 @0:5 b ###.###.###.### -> 10.23.3.2 PR icmp len 20 43 icmp 8/0 10.23.3.2 is my internal address that my ISP has set up with their messed up PIX NAT system. Here are my rules: # Nasty Packets: # Block any packets which are too short to be real. block in log quick all with short # Block any packets with source routing set block in log quick all with opt lsrr block in log quick all with opt ssrr # nasty ports we don't allow block return-rst in log quick on vx0 proto tcp from any to any port = 23 block return-rst in log quick on vx0 proto tcp from any to any port = 25 block return-rst in log quick on vx0 proto tcp from any to any port = 137 block return-rst in log quick on vx0 proto tcp from any to any port = 139 block return-rst in log quick on vx0 proto tcp from any to any port = 1080 block return-rst in log quick on vx0 proto tcp from any to any port = 31337 block return-icmp(net-unr) in log on vx0 proto udp from any to any port = 1080 I suspect that they may be coming from the last rule because that's the only thing that says anything about ICMPs. Can anyone shed light on this, or even point me to a resource that explains ipf's log format? thanks -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message