From owner-freebsd-questions Thu Nov 16 15: 7:16 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail.hiwaay.net (fly.HiWAAY.net [208.147.154.56]) by hub.freebsd.org (Postfix) with ESMTP id 8C0F737B4C5 for ; Thu, 16 Nov 2000 15:07:13 -0800 (PST) Received: from [10.0.0.20] (spider.interactplus.com [216.180.46.102]) by mail.hiwaay.net (8.11.0/8.11.0) with ESMTP id eAGN7B714991 for ; Thu, 16 Nov 2000 17:07:11 -0600 (CST) Mime-Version: 1.0 X-Sender: dkelly@hiwaay.net (Unverified) Message-Id: Date: Thu, 16 Nov 2000 17:07:06 -0600 To: freebsd-questions@freebsd.org From: David Kelly Subject: tcpdump and firewall on Pipeline Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Have been having nasty things appear in my Pipeline 50's firewall log. Not sure if they are on the ISDN side or ethernet side. ISP says "it must be on the ethernet side" which means inside my office. So I moved the pipeline and a FreeBSD 4.1.1-STABLE machine off the 10/100 ethernet switch onto a 10baseT hub and fired up tcpdump. Hopefully quick and dirty. No such luck. Here is an example nasty thing as reported by the Pipeline via syslogd on the FreeBSD system (lines not wrapped on purpose): Nov 16 14:12:08 10.0.0.254 ASCEND: wan3 udp 216.161.189.149;137 <- 63.166.117.36;137 78 !pass (reject) Nov 16 14:12:08 10.0.0.254 ASCEND: wan3 udp 63.166.117.36;137 -> 216.161.189.149;137 78 !pass (reject) Neither of those addresses are those I would know. The tcpdump(1) manpage says: To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net). tcpdump ip and not net localnet So I'm running "tcpdump ip and not net 10.0.0.0/24" which missed the above event captured by the Pipeline. Then again the event may not be on the ethernet as to determine that is the entire goal of this project. So I slipped my Mac over to 10.0.5.20 and tried some things. Opened its netmask to 255.255.0.0 but left the router at 10.0.0.254. Nov 16 16:35:14 10.0.0.254 ASCEND: wan3 udp 208.147.144.2;53 -> 10.0.5.20;49152 156 !pass (reject) Nov 16 16:35:14 10.0.0.254 ASCEND: wan3 udp 208.147.144.2;53 -> 10.0.5.20;49152 156 !pass (reject) Nov 16 16:35:15 10.0.0.254 ASCEND: wan3 udp 208.147.144.2;53 -> 10.0.5.20;49152 156 !pass (reject) Nov 16 16:35:17 10.0.0.254 ASCEND: wan3 udp 208.147.144.2;53 -> 10.0.5.20;49152 156 !pass (reject) Nov 16 16:35:21 10.0.0.254 ASCEND: wan3 udp 208.147.144.2;53 -> 10.0.5.20;49152 156 !pass (reject) Nov 16 16:35:29 10.0.0.254 ASCEND: wan3 udp 208.147.155.2;53 -> 10.0.5.20;49152 156 !pass (reject) Clearly the Pipeline router's NAT knows the reply ought to go to the Macintosh as that's where the originating packet started. I don't know why/how the Pipeline firewall missed rejecting the outgoing packets to the DNS servers but it caught the incoming. Such will be the subject of another task. The above tcpdump command line missed all. Clearly I'm missing something in tcpdump. /var/log/messages notes fxp0 is changed to promiscuous and out with start/stop of tcpdump. -- David Kelly N4HHE, dkelly@hiwaay.net ======================================================================== Whom computers would destroy, they must first drive mad. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message