From owner-freebsd-questions Sun Mar 25 16:55:40 2001 Delivered-To: freebsd-questions@freebsd.org Received: from freeze.org (www.stelesys.com [208.177.187.226]) by hub.freebsd.org (Postfix) with ESMTP id E4C2D37B71A for ; Sun, 25 Mar 2001 16:55:36 -0800 (PST) (envelope-from jim@freeze.org) Received: (from jim@localhost) by freeze.org (8.11.3/8.11.2) id f2Q0tWB51902; Sun, 25 Mar 2001 19:55:32 -0500 (EST) (envelope-from jim) X-Authentication-Warning: www.stelesys.com: Processed from queue /var/spool/alt_queue X-Authentication-Warning: www.stelesys.com: Processed by jim with -C /web/siteinfo/freeze/mail/sendmail.cf Date: Sun, 25 Mar 2001 19:55:32 -0500 (EST) From: Jim Freeze X-X-Sender: To: Cc: "Andrew C. Hornback" , FreeBSD Questions Subject: Re: Meaging of Security Check? In-Reply-To: <20010325151642.C5425@rfx-216-196-73-168.users.reflex> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 25 Mar 2001, Crist J. Clark wrote: > On Sat, Mar 24, 2001 at 11:43:32AM -0500, Andrew C. Hornback wrote: > > > -----Original Message----- > > > From: owner-freebsd-questions@FreeBSD.ORG > > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jim Freeze > > > Sent: Saturday, March 24, 2001 7:50 AM > > > To: questions@freebsd.org > > > Subject: Meaging of Security Check? > > > > > > > > > Hi: > > > > > > I received the following security check and was wondering what it means: > > > > > > eeyore1 security check output > > > > > > eeyore1 kernel log messages: > > > > x3f8-0x3ff irq 4 flags 0x10 on isa > > > > ipfw: 40 Accept TCP 157.95.47.65:776 24.9.218.175:22 in via vx0 > > > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0 > > > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0 > > > > ...where the above is repeated for about 100 lines > > > > > > I looked up port 67 in /etc/services and it says: > > > > > > bootps 67/tcp dhcps #Bootstrap Protocol Server > > > bootps 67/udp dhcps #Bootstrap Protocol Server > > > > > > nslookup says: > > > > > > % nslookup 24.2.7.70 > > > Server: proxy1.lxintn1.ky.home.com > > > Address: 24.5.116.15 > > > > > > Name: lh1.rdc1.tn.home.com > > > Address: 24.2.7.70 > > > > > > Can someone explain what is happening here? > > > > To my (semi)trained eye... you're subject to a new form of a DoS attack. > > [snip] > > Guys, guys. You're hurting me. > > It looks like Jim has broken his own DHCP setup. 24.9.218.175 looks > like the address of the machine generating these logs, correct? It is > blocking its own outgoing packets to lh1.rdc1.tn.home.com which is > your DHCP server, right? Hmmm.. My dns machines are 24.5.116.15 and 24.5.116.17. My ip has not changed (thankfully) and is still 24.9.218.175. My firewall is basic 'simple' with additions as given at mostgraveconcern. > > Your machine is trying to renew its lease. You probably want to pass > that traffic. What would the ipfw rule look like? ${fwcmd} add pass udp from any to ${dns1} 67 ${fwcmd} add pass udp from any to ${dns2} 67 ========================================================= Jim Freeze jim@freeze.org --------------------------------------------------------- No comment at this time. http://www.freeze.org ========================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message