Date: Thu, 16 Nov 2000 17:07:06 -0600 From: David Kelly <dkelly@hiwaay.net> To: freebsd-questions@freebsd.org Subject: tcpdump and firewall on Pipeline Message-ID: <p04320402b63a13cdd07e@[10.0.0.20]>
next in thread | raw e-mail | index | archive | help
Have been having nasty things appear in my Pipeline 50's firewall
log. Not sure if they are on the ISDN side or ethernet side. ISP says
"it must be on the ethernet side" which means inside my office.
So I moved the pipeline and a FreeBSD 4.1.1-STABLE machine off the
10/100 ethernet switch onto a 10baseT hub and fired up tcpdump.
Hopefully quick and dirty. No such luck.
Here is an example nasty thing as reported by the Pipeline via
syslogd on the FreeBSD system (lines not wrapped on purpose):
Nov 16 14:12:08 10.0.0.254 ASCEND: wan3 udp 216.161.189.149;137 <-
63.166.117.36;137 78 !pass (reject)
Nov 16 14:12:08 10.0.0.254 ASCEND: wan3 udp 63.166.117.36;137 ->
216.161.189.149;137 78 !pass (reject)
Neither of those addresses are those I would know.
The tcpdump(1) manpage says:
To print traffic neither sourced from nor destined for
local hosts (if you gateway to one other net, this stuff
should never make it onto your local net).
tcpdump ip and not net localnet
So I'm running "tcpdump ip and not net 10.0.0.0/24" which missed the
above event captured by the Pipeline. Then again the event may not be
on the ethernet as to determine that is the entire goal of this
project. So I slipped my Mac over to 10.0.5.20 and tried some things.
Opened its netmask to 255.255.0.0 but left the router at 10.0.0.254.
Nov 16 16:35:14 10.0.0.254 ASCEND: wan3 udp 208.147.144.2;53 ->
10.0.5.20;49152 156 !pass (reject)
Nov 16 16:35:14 10.0.0.254 ASCEND: wan3 udp 208.147.144.2;53 ->
10.0.5.20;49152 156 !pass (reject)
Nov 16 16:35:15 10.0.0.254 ASCEND: wan3 udp 208.147.144.2;53 ->
10.0.5.20;49152 156 !pass (reject)
Nov 16 16:35:17 10.0.0.254 ASCEND: wan3 udp 208.147.144.2;53 ->
10.0.5.20;49152 156 !pass (reject)
Nov 16 16:35:21 10.0.0.254 ASCEND: wan3 udp 208.147.144.2;53 ->
10.0.5.20;49152 156 !pass (reject)
Nov 16 16:35:29 10.0.0.254 ASCEND: wan3 udp 208.147.155.2;53 ->
10.0.5.20;49152 156 !pass (reject)
Clearly the Pipeline router's NAT knows the reply ought to go to the
Macintosh as that's where the originating packet started. I don't
know why/how the Pipeline firewall missed rejecting the outgoing
packets to the DNS servers but it caught the incoming. Such will be
the subject of another task. The above tcpdump command line missed all.
Clearly I'm missing something in tcpdump. /var/log/messages notes
fxp0 is changed to promiscuous and out with start/stop of tcpdump.
--
David Kelly N4HHE, dkelly@hiwaay.net
========================================================================
Whom computers would destroy, they must first drive mad.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p04320402b63a13cdd07e>