DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th May 2010
kondziq kondziq is offline
New User
 
Join Date: Jun 2009
Posts: 9
Default wierd logs in pf

Hey guys,

I recently had that in my pf logs:
Code:
Code:
00:00:03.911759 rule 0/0(match): block in on rl1: 0.76.241.0 > 214.26.28.9: at-#96 5
00:00:00.000017 rule 0/0(match): block in on rl1: 0.76.242.0 > 214.26.128.9: at-#96 5
00:00:00.000356 rule 0/0(match): block in on rl1: 0.76.243.0 > 214.26.96.9: at-#96 5
00:00:00.000224 rule 0/0(match): block in on rl1: 0.76.115.0 > 209.26.226.9: at-#96 5
00:00:05.009093 rule 0/0(match): block in on rl1: 0.76.23.0 > 219.26.34.10: at-#96 5
00:00:00.000061 rule 0/0(match): block in on rl1: 0.76.242.0 > 214.26.128.9: at-#96 5
00:00:05.049854 rule 0/0(match): block in on rl1: 0.76.217.0 > 224.26.247.10: at-#96 5
00:00:00.000023 rule 0/0(match): block in on rl1: 0.76.242.0 > 214.26.128.9: at-#96 5
00:00:05.021413 rule 0/0(match): block in on rl1: 0.76.46.0 > 229.26.5.11: at-#96 5
00:00:00.000105 rule 0/0(match): block in on rl1: 0.76.242.0 > 214.26.128.9: at-#96 5
rl1 is my internal interface, so it looks as if those wierd packets were comming from inside the network. Any idea what that might be? Also how do I read that ': at-#96 5' part?

Thanks and regards,
K.
Reply With Quote
  #2   (View Single Post)  
Old 30th May 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

The source/origin addresses:
Code:
$ whois 0.76.46.0

OrgName:    Internet Assigned Numbers Authority
OrgID:      IANA
Address:    4676 Admiralty Way, Suite 330
City:       Marina del Rey
StateProv:  CA
PostalCode: 90292-6695
Country:    US

NetRange:   0.0.0.0 - 0.255.255.255
CIDR:       0.0.0.0/8
NetName:    SPECIAL-IPV4-LOCAL-ID-IANA-RESERVED
NetHandle:  NET-0-0-0-0-1
Parent:
NetType:    IANA Special Use
Comment:    This block is assigned for use as local
Comment:    identification addresses. 0.0.0.0 refers to
Comment:    "this" host on "this" network. 0.0.0.0
Comment:    MUST NOT be sent, except as a source address
Comment:    as part of an initialization procedure
Comment:    by which the host learns its own IP address.
Comment:    This block was assigned by the IETF in the
Comment:    Standard document, RFC 1122, and is
Comment:    further documented in the Best Current
Comment:    Practice document RFC 5735. These documents
Comment:    can be found at:
Comment:    http://www.rfc-editor.org/rfc/rfc1122.txt
Comment:    http://www.rfc-editor.org/rfc/rfc5735.txt
RegDate:
Updated:    2010-04-14

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   Internet Corporation for Assigned Names and Number
OrgAbusePhone:  +1-310-301-5820
OrgAbuseEmail:  abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName:   Internet Corporation for Assigned Names and Number
OrgTechPhone:  +1-310-301-5820
OrgTechEmail:  abuse@iana.org

# ARIN WHOIS database, last updated 2010-05-29 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
The destination addresses 214.x.x.x:
Code:
$ whois 214.26.128.9 

OrgName:    DoD Network Information Center
OrgID:      DNIC
Address:    3990 E. Broad Street
City:       Columbus
StateProv:  OH
PostalCode: 43218
Country:    US

NetRange:   214.0.0.0 - 214.255.255.255
CIDR:       214.0.0.0/8
NetName:    DNIC-NET-214
NetHandle:  NET-214-0-0-0-1
Parent:
NetType:    Direct Allocation
The 229.26.5.11 address:
Code:
$ whois 229.26.5.11

OrgName:    Internet Assigned Numbers Authority
OrgID:      IANA
Address:    4676 Admiralty Way, Suite 330
City:       Marina del Rey
StateProv:  CA
PostalCode: 90292-6695
Country:    US

NetRange:   224.0.0.0 - 239.255.255.255
CIDR:       224.0.0.0/4
NetName:    MCAST-NET
NetHandle:  NET-224-0-0-0-1
Parent:
NetType:    IANA Special Use
NameServer: FLAG.EP.NET
NameServer: STRUL.STUPI.SE
NameServer: NS.ISI.EDU
NameServer: NIC.NEAR.NET
Comment:    This block is reserved for special purposes.
Comment:    Please see RFC 3171 for additional information.
Comment:
RegDate:    1991-05-22
Updated:    2002-09-16
From http://en.wikipedia.org/wiki/IP_multicast

Quote:
Multicast: A multicast address is associated with a group of interested receivers. According to RFC 3171, addresses 224.0.0.0 to 239.255.255.255, the former Class D addresses, are designated as multicast addresses in IPv4. The sender sends a single datagram (from the sender's unicast address) to the multicast address, and the intermediary routers take care of making copies and sending them to all receivers that have registered their interest in data from that sender.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 31st May 2010
kondziq kondziq is offline
New User
 
Join Date: Jun 2009
Posts: 9
Default

Hey,

Thanks for the reply. Call me an idiot, but I still don't seem to fully get it. I can see there addresses different to multicasts, so still dont know how could they be sent from inside my network. Besides how is it possible that this IANA can send from inside my network anyway ?!

Thanks and regards,
K.
Reply With Quote
  #4   (View Single Post)  
Old 1st June 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Could it be mobile phones, who are trying to reach the internet?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 2nd June 2010
kondziq kondziq is offline
New User
 
Join Date: Jun 2009
Posts: 9
Default

Not really, no.

I dont know if this helps but my network looks like this:

internet---router---FreeBSD---switch----hosts
|---access point---hosts
Hosts connected to the switch are my desktop and my two laptops. Hosts connected to the AP are 2 more laptops and my mobile phone (which has wifi normally switched off and I'm sure this problem appeared when I didn't even have it on the network yet).

FreeBSD box is running:

- samba,
- vsftpd,
- sshd,
- dhcpd,
- nat+pf

That is pretty much it.

Thanks,
K.
Reply With Quote
  #6   (View Single Post)  
Old 2nd June 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

You could look at the MAC addresses, which reveal the manufacturer of the network device
Code:
$ arp -an
? (10.0.0.138) at 00:90:d0:83:06:7a on xl0
? (192.168.222.10) at 00:08:c7:05:ca:0b on fxp0 static
? (192.168.222.20) at 00:19:db:47:b0:4c on fxp0
? (192.168.222.33) at 00:11:d8:f1:dd:99 on fxp0
? (192.168.222.250) at (incomplete) on fxp0
Then you retrieve http://standards.ieee.org/regauth/oui/oui.txt

The first MAC from my ARP list is 00:90:d0:83:06:7a. Searching the oui.txt file for 00-90-D0
Code:
00-90-D0   (hex)		Thomson Telecom Belgium
0090D0     (base 16)		Thomson Telecom Belgium
As last example the 00:11:d8:f1:dd:99 address:
Code:
00-11-D8   (hex)		ASUSTek Computer Inc.
0011D8     (base 16)		ASUSTek Computer Inc.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 19th June 2010
kondziq kondziq is offline
New User
 
Join Date: Jun 2009
Posts: 9
Default

Hi,

After a lot of tests I figured out what causes those wierd logs. It's one of the laptops at my network running Skype v4.2. I also use older version of skype on different machine and don't seem to generate that crap, so there must be something about that newish soft.

Thanks for help,
K.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Google Street View logs WiFi networks, Mac addresses J65nko News 1 22nd April 2010 09:52 PM
tftp logs syrushcw FreeBSD General 1 25th June 2008 04:06 PM
how extract specific test from Postfix logs with PHP or Perl marco64 Programming 3 21st June 2008 12:46 PM
How do I get network logs? Johnny2Bad FreeBSD General 2 22nd May 2008 05:37 PM


All times are GMT. The time now is 08:25 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick