Site Navigation

Date:      Sat, 28 Mar 2015 11:19:02 -0400
From:      The Lost Admin <thelostadmin@gmail.com>
To:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Cc:        "William A. Mahaffey III" <wam@hiwaay.net>
Subject:   Re: ipfw question
Message-ID:  <07C9255C-5CDA-4C96-A227-EB28FC836BF5@gmail.com>
In-Reply-To: <5516C210.6090806@hiwaay.net>
References:  <55122B21.60905@hiwaay.net> <55162284.6040806@hiwaay.net> <D4C3522A-97EE-4D35-9AF1-D122BC6D9165@gmail.com> <5516BB73.7010108@hiwaay.net> <26D37EC0-1C91-4009-A5C6-7B40CDE4099B@gmail.com> <5516BF68.9040806@hiwaay.net> <3782D86A-E280-4C01-B492-D1982D372808@gmail.com> <5516C210.6090806@hiwaay.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Mar 28, 2015, at 11:00 AM, William A. Mahaffey III <wam@hiwaay.net> =
wrote:

> On 03/28/15 09:49, The Lost Admin wrote:
>>=20
>> On Mar 28, 2015, at 10:49 AM, William A. Mahaffey III =
<wam@hiwaay.net> wrote:
>>=20
>>> On 03/28/15 09:37, The Lost Admin wrote:
>>>>=20
>>>> On Mar 28, 2015, at 10:32 AM, William A. Mahaffey III =
<wam@hiwaay.net> wrote:
>>>>=20
>>>>> On 03/28/15 09:13, The Lost Admin wrote:
>>>>>>=20
>>>>>>=20
>>>>>> On Mar 27, 2015, at 11:39 PM, William A. Mahaffey III =
<wam@hiwaay.net> wrote:
>>>>>>=20
>>>>>>> On 03/24/15 22:27, William A. Mahaffey III wrote:
>>>>>>>>=20
>>>>>>>>=20
>>>>>>>> I completed a full pkg upgrade & freebsd-update this A.M. & =
rebooted. I notice the following in my /var/log/security file:
>>>>>>>>=20
>>>>>>>>=20
>>>>>>>> Feb 20 09:52:49 kabini1 kernel: ipfw: 65500 Deny UDP =
216.180.122.2:53 192.168.0.27:32830 in via re0
>>>>>>>> [CUT]
>>>>>>>>=20
>>>>>>>> [root@kabini1, /etc, 10:26:29pm] 366 % ipfw show
>>>>>>>> 00100 211446 127533786 allow ip from any to any via lo0
>>>>>>>> 00200      0         0 deny ip from any to 127.0.0.0/8
>>>>>>>> 00300      0         0 deny ip from 127.0.0.0/8 to any
>>>>>>>> 00400      0         0 deny ip from any to ::1
>>>>>>>> 00500      0         0 deny ip from ::1 to any
>>>>>>>> 00600      0         0 allow ipv6-icmp from :: to ff02::/16
>>>>>>>> 00700      0         0 allow ipv6-icmp from fe80::/10 to =
fe80::/10
>>>>>>>> 00800      2       152 allow ipv6-icmp from fe80::/10 to =
ff02::/16
>>>>>>>> 00900      0         0 allow ipv6-icmp from any to any ip6 =
icmp6types 1
>>>>>>>> 01000      0         0 allow ipv6-icmp from any to any ip6 =
icmp6types 2,135,136
>>>>>>>> 01100      0         0 check-state
>>>>>>>> 01200    371     38801 allow tcp from me to any established
>>>>>>>> 01300 131125 100329380 allow tcp from me to any setup =
keep-state
>>>>>>>> 01400  15375   1247143 allow udp from me to any keep-state
>>>>>>>> 01500      0         0 allow icmp from me to any keep-state
>>>>>>>> 01600      0         0 allow ipv6-icmp from me to any =
keep-state
>>>>>>>> 01700      0         0 allow udp from 0.0.0.0 68 to =
255.255.255.255 dst-port 67 out
>>>>>>>> 01800      0         0 allow udp from any 67 to me dst-port 68 =
in
>>>>>>>> 01900      0         0 allow udp from any 67 to 255.255.255.255 =
dst-port 68 in
>>>>>>>> 02000      0         0 allow udp from fe80::/10 to me dst-port =
546 in
>>>>>>>> 02100      0         0 allow icmp from any to any icmptypes 8
>>>>>>>> 02200      0         0 allow ipv6-icmp from any to any ip6 =
icmp6types 128,129
>>>>>>>> 02300   3390    189852 allow icmp from any to any icmptypes =
3,4,11
>>>>>>>> 02400      0         0 allow ipv6-icmp from any to any ip6 =
icmp6types 3
>>>>>>>> 02500    164     12060 allow tcp from 192.168.0.0/24 to me
>>>>>>>> 02600    729    139344 allow udp from 192.168.0.0/24 513 to =
192.168.0.0/24 dst-port 513
>>>>>>>> 65000   2079    233849 count ip from any to any
>>>>>>>> 65100    334     58174 deny { tcp or udp } from any to any =
dst-port 111,137,138 in
>>>>>>>> 65200    325    118875 deny { tcp or udp } from 192.168.0.0/24 =
to me
>>>>>>>> 65300      0         0 deny ip from any to 255.255.255.255
>>>>>>>> 65400      0         0 deny ip from any to 224.0.0.0/24 in
>>>>>>>> 65500      0         0 deny udp from any to any dst-port 520 in
>>>>>>>> 65500      0         0 deny tcp from any 80,443 to any dst-port =
1024-65535 in
>>>>>>>> 65500   1420     56800 deny log logamount 5000 ip from any to =
any
>>>>>>>> 65535      0         0 deny ip from any to any
>>>>>>>> [root@kabini1, /etc, 10:26:37pm] 367 %
>>>>>>>>=20
>>>>>>>=20
>>>>>>>=20
>>>>>>> Anyone ? I'm over 5000 warnings, saw that in my messages file ? =
What gives here ?
>>>>>>>=20
>>>>>>> --=20
>>>>>>>=20
>>>>>> I could be wrong, but I think the 2nd column (1420) is the number =
of packets (log entries generated by that line) and the second column is =
the total bytes that those packets contained.
>>>>>>=20
>>>>>> The Lost Admin
>>>>>> thelostadmin@gmail.com
>>>>>=20
>>>>> Thanks for your reply. I think you are correct, but I don't think =
those are the problems here. After the last 'pkg upgrade' & =
freebsd-update, *something* is broadcasting to 224.0.0.22 which wasn't =
doing it before. I have had the above rules for months, & before the =
upgrade, nothing was trying to broadcast. Now something is & it is =
swamping ipfw logging to my messages file. Any clue what it is or how to =
find it ? TIA & thanks again.
>>>>>=20
>>>>> --=20
>>>>>=20
>>>>> 	William A. Mahaffey III
>>>> I was answering the question about the 5000 log entries. I missed =
the original question.
>>>>=20
>>>> 224.0.0.22 is a multicast address used for IGMP (Internet Group =
Management Protocol). You probably                 upgraded something =
that has initiated some sort of multicast group request.
>>>>=20
>>>>=20
>>>=20
>>> Hmmmmm .... OK, good by me. Any idea how to identify that something =
that is now broadcasting (which wasn't before) :-) ? TIA & thanks again.
>>>=20
>>> --=20
>>>=20
>>> 	William A. Mahaffey III
>>>=20
>>>  =
----------------------------------------------------------------------
>>>=20
>>> 	"The M1 Garand is without doubt the finest implement of war
>>> 	 ever devised by man."
>>>                            -- Gen. George S. Patton Jr.
>> Read the release notes of the things that got upgraded and see if any =
of them introduced multicast for something.
>>=20
>> Run a sniffer that is IGMP aware and see what=92s going on with those =
packets. It=92s probably a request to be added to a multicast group or =
an advertisement for one.
>>=20
>=20
> What sniffer could you suggest ? I am new to the *BSD's :-/ ....
>=20
> --=20
>=20
> 	William A. Mahaffey III
>=20
>  =
----------------------------------------------------------------------
>=20
> 	"The M1 Garand is without doubt the finest implement of war
> 	 ever devised by man."
>                            -- Gen. George S. Patton Jr.
Wireshark is pretty but requires X11. It also does a better job of =
making the output understandable.

tcpdump should be included in the base system and is text so works =
without a GUI. You used to be able to take a tcpdump output file and =
feed it to Wireshark for viewing.=

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?07C9255C-5CDA-4C96-A227-EB28FC836BF5>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact