From owner-freebsd-questions Tue Jan 1 15:24: 8 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.mango-bay.com (mail.mango-bay.com [208.206.15.12]) by hub.freebsd.org (Postfix) with ESMTP id ABF1037B41E for ; Tue, 1 Jan 2002 15:24:05 -0800 (PST) Received: from barbish ([63.70.155.19]) by mail.mango-bay.com (Post.Office MTA v3.5.3 release 223 ID# 0-52377U2500L250S0V35) with SMTP id com; Tue, 1 Jan 2002 16:31:43 -0500 From: "Joe & Fhe Barbish" To: "Joe Clarke" Cc: "FBSD Questions" Subject: RE: IPFW UDP port# 520 Date: Tue, 1 Jan 2002 16:29:15 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <1009907433.16477.4.camel@shumai.marcuscom.com> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This machine is a virgin install of FBSD never been connected to the internet without firewall. There's no way that the Ripper Trojan could have infested my box. The 520's I am receiving can Only be from my ISP's router. What ipfw rules do I need to respond to make that router happy and shut up? -----Original Message----- From: Joe Clarke [mailto:marcus@marcuscom.com] Sent: Tuesday, January 01, 2002 12:50 PM To: Joe & Fhe Barbish Cc: FBSD Questions Subject: Re: IPFW UDP port# 520 On Tue, 2002-01-01 at 12:22, Joe & Fhe Barbish wrote: > Happy new year to all FBSD list readers. > > I see in my security log a lot of denied packets over and > over again of the same kind. > > Deny UDP 208.203.25.3:520 63.163.61.14:520 in via tun0 > > 208.203.25.3 is my ISP's IP address and 63.163.61.14 is my IP address. > > When I lookup what port 520 is it says a local routing process > or Trojan Ripper. I think it's my ISP's front door router > inquiring if I am still there. > Since my firewall is denying the request it just keeps repeating. > > How can I be sure It's my ISP's router and not the Ripper Trojan? I've never seen udp/520 used as a trojan port. In fact, Trojans are usually booby-trapped programs that lie around waiting for someone to use them. I don't know what a trojan UDP port would be. Chances are, this is your ISP's router trying to talk RIP with you. While I can't imagine a big ISP using RIP anymore, it's certainly possible. > > What rules do I need the add to my IPFW rules set to resolve this? If you're really nervous about this, make sure nothing is listening on udp/520 (i.e. turn off routed or gated), and allow the packets through for a short time. Put a sniffer on the interface, and see if it recognizes the packets as RIP. RIP is defined by RFC1058, so you can compare the message formats and see what those packets are trying to do. It might be just advertising a 0.0.0.0 default route to you. Joe > > Thanks > > Joe > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message