August 4th, 2003, 20:42
Hi all,

Something interesting happened tonight, and I could use a little help.
Here is the story...

I recently setup an OpenBSD firewall (with help from this community - thanks):
[My PF rules are shown in my only other mail on this forum - PF Newby.]


As it happens (and has been proved), the Linksys router appears to be performing most of the filtering, and scans from sites like grc.com show me running in 'full stealth' mode on all ports.

Anyway, I noticed tonight a breif spell where my connection seemed to slow down a little. I thought nothing of it, but when checking my OpenBSD pfctl -s info stats, it showed blocked packets!

Now I was a little surprised, since this is the first time I've seen unexpected packets arrive at my OpenBSD machine (except when I placed it into a DMZ by ammending the linksys router config - to test my OpenBSD rules initially).

It suggests (?) that bogus packets have traversed the linksys router only
to be stopped by OpenBSD ( ;-) ).

TCPdump showed a number of entries:

block in on vr0: > udp68

Given that:

i. vr0 faces the linksys router.
ii. No other devices were active on the router (except obviously the WAN
port to the cable modem and OpenBSD to one of the LAN ports).
iii. I have not used anywhere within my network (or
192.168.1.x for that matter).

I looked in /etc/services and noted port 137 corresponds to netbios -n.

Has anyone got any thoughts on this?

I am very inexperienced in these matters but I think this means
somehow a spoofed private IP address got through the linksys firewall,
for the purpose of a netbios network (.255 ?) type scan...???
Or then again I could be totally wrong!

Whatever it was, OpenBSD stopped it, and that makes me happy ;-)


August 4th, 2003, 20:55
Can you post a whole section of your logs with tcpdump -xnetttr so I can see the hex output?

As to packets going to port 137, there can be numerous reasons. The ne RPC exploit, spammers sending popup ads, virii/trojans, etc...

Unfortanatly many ISPs allow RFC 1918 addresses to be routed over their networks, so that may be why your seeing the 192.168.x.x address.

August 5th, 2003, 06:27
Hi bsdjunkie,

Thanks for the offer of help, but I think I worked out the problem.

I let my brother (correction - used to let me brother) connect directly into one of the ports on my Linksys Router so he could take advantage of my link.

Anyway, after a bit of checking around this morning on the machine he uses (which is mine actually) I noted he had changed its IP address to (not sure why yet!).

I tried to see what programs he had been using to see if I could recreate
the event. I openned various programs, checked what processes were running etc but could not recreate the packets observed.

Oh well I thought, maybe I did in fact have a genuine problem? Although like you I thought it odd that my ISP would route 192.168.. packets to me!

I shutdown his PC and just before it finally died - POW - packets arrived at
my OpenBSD firewall! I turned his PC back on and in the period just before the Windows (ME) password prompt appears I got the same series of packets.

The reason I've only just seen this is because I assume I have never been on-line at the same time as him (ie my OpenBSD firewall was off). He runs ZoneAlarm (free version) but I assume this can't catch these packets...?

So, I assume this is just Windows Netbios stuff. The linksys is routing the packets and since they don't come in through the WAN port it is not examining them.

You may be able to help me out with something else I noted while I was checking tcpdump -xnetttr output:

Aug 04 12:00:02.119348 rule 19/0(match):
pass out on vr0: > A.B.C.D.53: 45697+ AAAA? MYHOST.MYDNS. (29)

A.B.C.D is my ISPs DNS server
MYHOST = my hostname
MYDNS = my DNS domain name

I do not own any domain, so I just made up a hostname and DNS domain name when I installed OpenBSD eg. apple.fruittree. I didn't end the domain name with any of the standard .com , .org etc

Given these packets are getting out, do you think my ISP going to get annoyed with me or is this expected behaviour???

Thanks again.


PS I've just ordered TCP/IP illistrated so hopefully(!?) I will not ask so many lame questions in future!

August 5th, 2003, 10:17
Given these packets are getting out, do you think my ISP going to get annoyed with me or is this expected behaviour???

It looks like your just querying the ISP's DNS server. This is normal traffic, so I highly doubt they care...

PS I've just ordered TCP/IP illistrated so hopefully(!?) I will not ask so many lame questions in future!

Great book! :wink:

August 5th, 2003, 13:20
Thanks again bsdjunkie.

I guessed it was DNS queries, but I was worried about identifying myself with a none existent domain name - now I think about it, I imagine this happens alot.

Brought myself a Null Modem cable this afternoon and have set up a serial console on my OpenBSD machine.

Now, when I log into my browsing machine I also use a terminal emulator to login to OpenBSD concurrently (currently HyperTerm on windows, but I'm looking for something better).

I keep the hyperterm open in a small window, with it running tcpdump -nettti pflog0. Hey presto I can now keep an eye on the firewall in realtime as I browse!!! ;-). I imagine there is a better way of doing this, but it will have to do for now?

Anyway, next task is to learn more about hex output from tcpdump -x...

Thanks again

August 5th, 2003, 13:37
By the way (and just before someone else points it out ;-) !)...

I did think about trying to run SSH server listening on the internal facing ethernet card xl0 of my firewall, and then connect to that over ethernet from my internal machine.

However one of my initial thoughts was to run NO services on the OpenBSD machine at all, until I am more confident - hence the null modem cable!
This may come later.


August 5th, 2003, 22:31
If you're that paranoid about running sshd, you can always restrict it to one or a handful of IPs that can be allowed to connect, using pf rules. Using certs is another way. I use PuTTY for SSHing into my BSD boxen from doze clients.

Sshd is much more convenient than sitting next to the box with a null modem cable connected.