Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Jun 2005 10:42:27 -0400
From:      "Stephan Weaver" <stephanweaver@hotmail.com>
To:        freebsd-questions@freebsd.org
Subject:   IPFILTER 'again' ?
Message-ID:  <BAY20-F271D2273E9724F83E2D293A8EA0@phx.gbl>

next in thread | raw e-mail | index | archive | help
Hello,

I notice this in my /var/log/ipfilter.log.
23/06/2005 10:36:06.691347 vr0 @0:29 b 196.3.132.4,53 -> 192.168.1.1,61827 
PR udp len 20 66 IN
23/06/2005 10:36:07.652341 vr0 @0:29 b 196.3.132.4,53 -> 192.168.1.1,61828 
PR udp len 20 70 IN


Which should never occur. Since My Rules Look like.
ipf.rules
--
block in all
block out all

pass in quick on lo0 all
pass out quick on lo0 all

pass in quick on vr1 all
pass out quick on vr1 all

pass out quick on vr0 from any to any keep state

pass in quick on vr0 proto tcp from 196.3.132.1 to any port = 53 keep state
pass in quick on vr0 proto udp from 196.3.132.1 to any port = 53 keep state
pass in quick on vr0 proto tcp from 196.3.132.4 to any port = 53 keep state
pass in quick on vr0 proto udp from 196.3.132.4 to any port = 53 keep state


# Block all inbound traffic from non-routable or reserved address spaces
block in log quick on vr0 from 192.168.0.0/16 to any   #RFC 1918 private IP
block in log quick on vr0 from 172.16.0.0/12 to any    #RFC 1918 private IP
block in log quick on vr0 from 10.0.0.0/8 to any       #RFC 1918 private IP
block in log quick on vr0 from 127.0.0.0/8 to any      #loopback
block in log quick on vr0 from 0.0.0.0/8 to any        #loopback
block in log quick on vr0 from 169.254.0.0/16 to any   #DHCP auto-config
block in log quick on vr0 from 192.0.2.0/24 to any     #reserved for doc's
block in log quick on vr0 from 204.152.64.0/23 to any  #Sun cluster 
interconnect
block in log quick on vr0 from 224.0.0.0/3 to any       #Class D & E 
multicast


# Block frags
block in quick on vr0 all with frags
# Block short tcp packets
block in quick on vr0 proto tcp all with short
# Block source routed packets
block in quick on vr0 all with opt lsrr
block in quick on vr0 all with opt ssrr
# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on vr0 proto tcp all flags FUP
block in log first quick on vr0 proto tcp all flags SF/SFRA
block in log first quick on vr0 proto tcp all flags /SFRA
block in log first quick on vr0 proto tcp all flags F/SFRA
block in log first quick on vr0 proto tcp all flags U/SFRAU
block in log first quick on vr0 proto tcp all flags P
# Block anything with special options
block in quick on vr0 all with ipopts
# Block public pings
block in log quick on vr0 proto icmp all icmp-type 8


# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence stops a .denial of service. attack targeted
# at filling up your log file space.
# This rule enforces the block all by default logic.
block in log first quick on vr0 all





Thanks,
Stephan Weaver
stephanweaver@hotmail.com

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY20-F271D2273E9724F83E2D293A8EA0>