IPFW shows me Strangeness in fresh 8.2-RELEASE system

[Barney Wolff]

I would bet that all of those packets are being sent to the broadcast
ethernet address.  Certainly the DHCP and RIP packets are likely to
have been.  Try running tcpdump with -e to see if that's right.

There's a lot of junk on DSL; live with it.  Unless the volume is a
significant fraction of your bandwidth, it's harmless.

On Sat, Oct 22, 2011 at 05:47:44PM -0700, Ronald F. Guilmette wrote:
> 
> I've been slowly bringing up a fresh new 8.2-RELEASE system on one of my
> static IPs, and I've set up some minimalist ipfw rules, just for the time
> being, to try to protect it from Evil Invaders.  I arranged for these rules
> to log all unexpected inbound packets coming in via the one and only ethernet
> card.
> 
> The card has been ifconfig'd as follows:
> 
> ifconfig_rl0="inet 69.62.255.119 netmask 255.255.255.0"
> 
> I'll admit to being ignorant about many of the finer details of networking
> generally, but to my way of thinking, the above configuration should cause
> the card to really only listen for inbound packets addressed to 69.62.255.119.
> Yes?  No?
> 
> Well, anyway, that's been my experience in the past.
> 
> The odd thing is that I'm getting some inbound packets logged by my final
> ``catch all'' deny & log rule in my IPFW rules list, where the destination
> IP address on the packets being logged is *not* 69.62.255.119.
> 
> This is absolutely puzzling to me, and I hope that somebody can explain it
> to me.  I mean how can this occur?  The destination IP addresses in question
> aren;t even in the same /24 as my machine, so I really don;t understand how
> or why my card is even receiving these packets.
> 
> The inbound packets in question are not really a problem.  I can easily
> figure out how to add additional ipfw rules to block them completely.
> But the very fact that my ethernet card is even hearing them, given its
> configured IP address, is rather disturbing to me, because it obviously
> means that there's something deep going on here that I just don't understand,
> but I would like to understand it.
> 
> The packets in question seem to come in three flavors.  About 1/3 of them look
> like this in the /var/log/security file:
> 
> Oct 22 17:12:38 coredump kernel: ipfw: 1600 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via rl0
> 
> Some others look like this:
> 
> Oct 22 17:12:27 coredump kernel: ipfw: 1600 Deny UDP 67.159.149.215:50669 255.255.255.255:2223 in via rl0
> 
> Still others look like this:
> 
> Oct 22 17:12:01 coredump kernel: ipfw: 1600 Deny UDP 67.159.139.178:520 67.159.139.191:520 in via rl0
> 
> The destination addresses for all of the logged packets represented above are
> quite clearly *not* the IP address of the machine I'm setting up.  Not even
> close.
> 
> Note that the machine I've been setting up is on a static IP address on an
> ordinary end-luser DSL line.  Note also that all addresses within the 
> 67.159.128.0/19 block belong to my own ISP, Surewest Broadband.  So it would
> seem to be the case that some other folks or businesses who use my same ISP
> may perhaps be sending out some funny (and misdirected?) packets, but that's
> not an issue that concerns me.  What does concern me is just that fact that
> my ethernet card seems to be listening to packets that aren't even addressed
> to it, and I really just don't understand why.
> 
> Any enlightenment would be appreciated.
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  This is the first time I've ever touched FreeBSD 8.x.  I've been using
> 7.x releases in the past however, and before that 6.x and 5.x releases and
> I've really never seen anything quite like this before.  Do 8.x releases now
> cause ethernet cards to listen for stuff they should not even be listening
> for?
> 
> Color me perplexed.
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

-- 
Barney Wolff         I never met a computer I didn't like.