From owner-freebsd-questions@FreeBSD.ORG Mon Apr 4 22:45:37 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D71A916A4CE for ; Mon, 4 Apr 2005 22:45:37 +0000 (GMT) Received: from ms-smtp-02-eri0.socal.rr.com (ms-smtp-02-qfe0.socal.rr.com [66.75.162.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CEFF43D2F for ; Mon, 4 Apr 2005 22:45:37 +0000 (GMT) (envelope-from rmarella@gmail.com) Received: from [192.168.1.104] (cpe-66-8-191-104.hawaii.res.rr.com [66.8.191.104])j34MjYX7016524; Mon, 4 Apr 2005 15:45:35 -0700 (PDT) Message-ID: <4251C38D.6020002@gmail.com> Date: Mon, 04 Apr 2005 12:45:33 -1000 From: Robert Marella User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050326 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Danny Pansters References: <4251BA47.2030901@gmail.com> <200504050029.57829.danny@ricin.com> In-Reply-To: <200504050029.57829.danny@ricin.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Symantec AntiVirus Scan Engine cc: freebsd-questions@freebsd.org Subject: Re: ipflog entries? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2005 22:45:37 -0000 Danny Pansters wrote: >On Tuesday 05 April 2005 00:05, Robert Marella wrote: > > >>Greetings >> >>My daily mail on my firewall (5.3-rel-p4) has always shown many (> >>10000) blocks by my blocking rule >>"block in quick on em0 from 10.0.0.0/8 to any". Obviously I'm using >>ipf/ipnat. >> >>So, for education, today I enabled "log" for a short time on that rule. >>Within a few minutes I logged over twenty >>attempts from the same address. (Sample below, text attached) >> >>04/04/2005 11:33:41.034653 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 >>PR udp len 20 337 IN >>04/04/2005 11:33:41.973120 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 >>PR udp len 20 344 IN >>04/04/2005 11:33:57.532249 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 >>PR udp len 20 337 IN >>04/04/2005 11:33:58.963415 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 >>PR udp len 20 344 IN >> >>Ports 67 shows dhcps and 68 shows dhcpc in /etc/services. >> >>em0 is connected to my roadrunner cable modem. Is the cable modem doing >>this or is someone spoofing this IP address? >> >>Sorry if this has been answered already but I'm kind of new to the >>firewall stuff. >> >>Thank you for your time. >>Robert >> >> > >It's your cable provider insisting to send you bootps info (for broken windows >customers I reckon). Yech that's as if you're some network appliance :) Mine >does that too. I just drop/not log them. Whenever your dhclient needs to >renew a lease it will connect and if your firewall keeps state on that your >ISP's dhcp server has it's lucky moment because for once something may >connect back in. Both of you happy. > >HTH, > >Dan > > > Thanks Dan. I kinda thunk it was something like that. Just wanted someone such as yourself to confirm. The sheer number that was reported in the daily mail was what got me concerned. I was and am just dropping them. I only enabled the log for about 5 minutes. Thanks again Robert