[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: odd things in pf drop logs...



On 16 Nov 2005 19:50:32 -0800, [email protected] (Russell Fulton)
wrote:
>Hi I am writing a program to analyize the drop logs from our pf 
>firewall.  I read the logs from pflog0 with tcpdump.
>
>Currently I am only interested in outbound packets that are being 
>dropped so I filter on src net <local network>.  But I get a steady 
>trickle of packets that are not from our network and which I can not 
>identify after reading the tcpdump man page.
>
>sudo tcpdump -ttn -i pflog0 src net 130.216 | grep -v '130.216'
>1132197414.953036 44.201.164.226 > 223.198.129.20: at-#150 2
>1132197414.953216 162.179.205.94 > 201.126.84.84: at-#205 2
>1132197414.953249 118.221.55.38 > 202.250.187.185: at-#8 2
>1132197414.953356 10.111.197.35 > 206.119.250.10: at-#63 2
>1132197419.017820 222.1.252.13 > 205.243.180.221: at-#141 2
>1132197420.020168 243.11.220.239 > 199.109.236.92: at-#246 2
>1132197420.020232 39.101.239.105 > 196.233.184.35: at-#141 2
>1132197420.020466 91.215.220.115 > 192.100.78.192: at-#135 2
>1132197420.020716 143.185.248.140 > 195.224.249.254: at-#150 2
>1132197425.029290 202.227.188.37 > 157.143.187.152: at-#231 2
>1132197426.033726 30.141.191.130 > 158.11.15.71: at-#202 2
>
>There are two questions here:
>1/ what are these 'packets' and
>2/ why are they getting selected when the filter says src net 130.216?
>
>Cheers and thanks, Russell
Curiouser and curiouser, did some quick grepage here 
/var/log # grep -i "at-#" /var/log/pflog.txt
Nov 17 08:37:05 gw2 pf: rule 23/0(match): pass out on fxp0: 0.134.1.227 >
67.131.22.227: at-#20 358
Nov 17 10:47:02 gw2 pf: rule 23/0(match): pass out on fxp0: 226.107.237.229
> 227.48.149.48: at-#102 358
/var/log # gzip -dc /var/log/archive/pflog.txt.?.gz | grep "at-#"
Nov 16 08:31:43 gw2 pf: rule 23/0(match): pass out on fxp0: 243.200.230.249
> 140.218.28.154: at-#129 5
Nov 15 04:38:04 gw2 pf: rule 0/0(match): block in on fxp0: 134.21.0.echo >
85.126.0.echo: at-#153 45
There is nothing Apple related on the network here. 
greg
-- 
"Access to a waiting list is not access to health care"