Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Jun 2004 12:49:27 -0400
From:      "JJB" <Barbish3@adelphia.net>
To:        "Robert Downes" <nullentropy@lineone.net>, <freebsd-ipfw@freebsd.org>
Subject:   RE: Blocked outbound traffic - what is it?
Message-ID:  <MIEPLLIBMLEEABPDBIEGAECLGDAA.Barbish3@adelphia.net>
In-Reply-To: <40D3106A.9030403@lineone.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Those web sites are ms/windows spyware reporting home about where
you browse. Just type those ip address into your browser and you
will see dubble-click banner page.  Your ipfw rules are doing there
thing of not allowing those ms/windows spyware do their thing.

>From your ipfw log I would say the ms/windows box you are using is
compromised. Looks to me like you have email virus and spyware on
that box.  Ipfw is working just fine.

Use nslookup  ipaddress  from FBSD command line to checkout out
those loged ip address next time.

The ip address of the 110 packet is not your ISP's pop3 email server
I bet.


By the way there are 2 examples in the archive email you referenced
and you have made your own changes to one of them so they have no
meaning to what you are using on your box. People need to see what
YOU are running not some generic sample. Just for your education
next time you have problem.

And blow away your ms/windows system and reinstall to get known
clean system and all those outbound log records will stop happening.

-----Original Message-----
From: owner-freebsd-ipfw@freebsd.org
[mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Robert Downes
Sent: Friday, June 18, 2004 11:55 AM
To: freebsd-ipfw@freebsd.org
Subject: Re: Blocked outbound traffic - what is it?

Matthew McGehrin wrote:

>You need to post your ruleset to the list along with some of your
log's, or
>your not going to get a response.
>
The ruleset is the one posted to this list recently:


http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2004-June/001182
.html

and some of the output of `cat /var/log/security | grep out`:

Jun 18 15:32:37 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3066
64.158.223.128:80 out via rl0
Jun 18 16:03:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3113
216.136.173.10:110 out via rl0
Jun 18 16:07:56 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3118
213.189.140.44:80 out via rl0
Jun 18 16:09:45 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3123
216.136.173.10:110 out via rl0
Jun 18 16:23:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3136
216.136.173.10:110 out via rl0
Jun 18 16:31:53 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181
65.59.207.13:80 out via rl0
Jun 18 16:31:58 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181
65.59.207.13:80 out via rl0

These are just a few of many similar entries. The requests to port
110
are to a legitimate mail server. The requests to port 80 seem to be
to
banner-ad addresses, and to addresses that are legitimate but are
not
the same IP as the original browser request.

But my point is: what feature of these packets is making them fail
the
filter, and why do I not seem to be missing anything on the pages
(such
as banner ads) even though requests are being blocked?

If it's perfectly reasonable for these packets to be denied, then
I'm
happy with that. But I'm worried that something important is being
killed on the spot. (Even though I can't work out what.)

--
Bob

_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to
"freebsd-ipfw-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGAECLGDAA.Barbish3>