Re: ipf not blocking? am i too paranoid?
This is a discussion on Re: ipf not blocking? am i too paranoid? within the IPFilter forums, part of the System Security and Security Related category; On Sun, 16 Nov 2003 08:06:50 +0100 Amadeus <poff@sixbit.org> wrote: > Hello I have ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-29-2003
|
|||
|
|||
Re: ipf not blocking? am i too paranoid?
On Sun, 16 Nov 2003 08:06:50 +0100
Amadeus <poff@sixbit.org> wrote: > Hello I have a question about some strange traffic on an external > interface: > > 192.168.071.223 239.255.255.250 17 32768 1900 0 594 0 2 > 192.168.071.243 239.255.255.250 17 32768 1900 0 594 0 2 > 192.168.071.248 239.255.255.250 17 32768 1900 0 594 0 2 > 192.168.076.047 239.255.255.250 17 32768 1900 0 296 0 1 > > from ipaudit (the source nor the destination is ours). Is this legitimate > traffic? What kind of ports are those (32768 1900)? Anyway I have the > following ipf: > > block in log quick on ne0 from 192.168.0.0/16 to any > block in log quick on ne0 from 172.16.0.0/12 to any > block in log quick on ne0 from 10.0.0.0/8 to any > block in log quick on ne0 from 127.0.0.0/8 to any > block in log quick on ne0 from 0.0.0.0/8 to any > block in log quick on ne0 from 169.254.0.0/16 to any > block in log quick on ne0 from 192.0.2.0/24 to any > block in log quick on ne0 from 204.152.64.0/23 to any > block in log quick on ne0 from 224.0.0.0/3 to any > > block out log quick on ne0 from 192.168.0.0/16 to any > block out log quick on ne0 from 172.16.0.0/12 to any > block out log quick on ne0 from 10.0.0.0/8 to any > block out log quick on ne0 from 127.0.0.0/8 to any > block out log quick on ne0 from 0.0.0.0/8 to any > block out log quick on ne0 from 169.254.0.0/16 to any > block out log quick on ne0 from 192.0.2.0/24 to any > block out log quick on ne0 from 204.152.64.0/23 to any > block out log quick on ne0 from 224.0.0.0/3 to any > > block in on ne0 from any to any head 100 > > And I have no "pass in (quick)" rules at all - so why is this traffic > passing? > > The only out rules I have are for a bunch of standard ports, not the > above... > > Also I'm getting the following every second or two from ipmon (so ipf IS > blocking them:) > > 16/11/2003 13:13:54.429224 ne0 @0:4 b 192.168.76.47,32768 -> > 239.255.255.250,1900 PR udp len 20 282 IN > 16/11/2003 13:14:14.606964 ne0 @0:4 b 192.168.71.248,32768 -> > 239.255.255.250,1900 PR udp len 20 283 IN > 16/11/2003 13:14:19.975369 ne0 @0:4 b 192.168.71.247,32768 -> > 239.255.255.250,1900 PR udp len 20 283 IN > > Is any of the above normal? Am I being too paranoid? > > Thanks, > > Amadeus > -- > poff@sixbit.org > SDF Public Access UNIX System - http://sdf.lonestar.org > >From FreeBSD ports/net/ipaudit/pkg-descr "Ipaudit is built using the pcap packet capture library to read the network port ...". Not quite sure, but doesn't this mean packets are observed outside of ipfilter/ipnat, like tcpdump ? ~eems what ipmon says is correct. horio shoichi 
|
Linear Mode
