From owner-freebsd-questions@FreeBSD.ORG Mon Nov 8 10:20:05 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71AFA16A4CE for ; Mon, 8 Nov 2004 10:20:05 +0000 (GMT) Received: from www.wcborstel.nl (wcborstel.demon.nl [82.161.134.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id B60CE43D2F for ; Mon, 8 Nov 2004 10:20:04 +0000 (GMT) (envelope-from jorn@wcborstel.nl) Received: from localhost (localhost [127.0.0.1]) by www.wcborstel.nl (Postfix) with ESMTP id C91E54205 for ; Mon, 8 Nov 2004 11:20:03 +0100 (CET) Received: from www.wcborstel.nl ([127.0.0.1]) by localhost (www.wcborstel.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55344-04 for ; Mon, 8 Nov 2004 11:20:03 +0100 (CET) Received: from www.wcborstel.nl (localhost [127.0.0.1]) by www.wcborstel.nl (Postfix) with ESMTP id 60BBD41F8 for ; Mon, 8 Nov 2004 11:20:03 +0100 (CET) From: "Jorn Argelo" To: questions@freebsd.org Date: Mon, 8 Nov 2004 11:20:03 +0100 Message-Id: <20041108100954.M66265@wcborstel.nl> X-Mailer: Open WebMail 2.41 20040926 X-OriginatingIP: 82.161.134.53 (jorn) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-Virus-Scanned: by amavisd-new at mail.wcborstel.nl Subject: Strange netstat output X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 10:20:05 -0000 Hi folks, Recently I took notice about a strange netstat output within my LAN: [jorn@www] ~> netstat -ra Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default ACA80101.ipt.aol.c UGS 0 156153 rl0 localhost localhost UH 2 539754 lo0 ACA80100.ipt.aol.c link#1 UC 0 0 rl0 ACA80101.ipt.aol.c 00:09:5b:a7:a4:3e UHLW 1 3918 rl0 790 ACA80102.ipt.aol.c 00:10:a7:0d:6f:7f UHLW 0 325 rl0 1193 ACA80104.ipt.aol.c localhost UGHS 0 0 lo0 ACA801FF.ipt.aol.c ff:ff:ff:ff:ff:ff UHLWb 0 1091 rl0 192.168.2.105 localhost UGHS 0 0 lo0 The ipt.aol.com is the one that's the problem. If I ping it, it returns this: PING ACA80102.ipt.aol.com (172.168.1.2): 56 data bytes 64 bytes from 172.168.1.2: icmp_seq=0 ttl=64 time=0.120 ms 64 bytes from 172.168.1.2: icmp_seq=1 ttl=64 time=0.149 ms 64 bytes from 172.168.1.2: icmp_seq=2 ttl=64 time=0.149 ms ^C --- ACA80102.ipt.aol.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.120/0.139/0.149/0.014 ms [jorn@www] ~> Which is my internal IP adress. If I ping ACA80104, it goes to 172.168.1.4. If I ping ACA80100, it says 172.168.1.100 and ACA801FF is the 172.168.1.255 address (the broadcast address, if I recall my Cisco classes correctly). The 192.168.1.105 address is rather strange as well, because I'm not using that range on the router's DHCP server (Netgear FVS318, in case you want to know) So my question is, what are these? My firewall log (on the router) is showing some major blocking on port 445 and 135. It's not like one IP address is doing all the bad stuff; most of them are just random grabs from virus infected machines. Thanks in advance, Jorn