From owner-freebsd-security Wed Nov 28 9:45:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 4B51937B41A for ; Wed, 28 Nov 2001 09:45:11 -0800 (PST) Received: (qmail 10364 invoked by uid 0); 28 Nov 2001 17:45:09 -0000 Received: from cp427045-b.mtgmry1.md.home.com (HELO danny) (67.161.38.142) by mail.gmx.net (mp009-rz3) with SMTP; 28 Nov 2001 17:45:09 -0000 From: "Danny" To: Subject: Ipfw + bpf interaction Date: Wed, 28 Nov 2001 12:44:36 -0500 Message-ID: <000e01c17834$5cf1d670$020144c0@danny> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've been experimenting with ipfw to horde off the hundreds of attempted http requests per day (primarily all from @home customers) which I suspect to be part of some lingering worm/ddos. My question is if a connection attempt will still be recorded by clog(8) if the source IP is blocked by ipfw? The reason I ask is because I am still seeing connection attempts in the network log from a specific IP belonging to a class B network which I thought I had blocked. The syntax for the rule I used was: ipfw add deny log logamount 500 ip from 67.161.0.0:255.255.0.0 to my.ip.address The rule seems to be added to ipfw's rule set, which for my box is as follows: 00050 1915738 1315695882 divert 8668 ip from any to any via ep1 00100 3360 1384342 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 1596 65772 deny log logamount 500 ip from another.bad.host to my.ip.address 00500 0 0 deny log logamount 500 ip from 67.161.0.0/16 to my.ip.address 65535 3795144 2623014796 allow ip from any to any The firewall blocks 'another.bad.host' without any problems, at least according to the ipfw logs, but I am still seeing connections from the 67.161.0.0 subnet (where all the connections are coming from) in the clog logs (that's fun to say). Do there seem to be any flaws in this particular rule set? This is not intended to be a integral firewall, just simply one to block some of the nuisances that have recently been afflicting a machine on my network. Thanks for any pointers. Danny McQuade To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message