thedude
September 15th, 2003, 00:58
This is about all I ever see from my OpenBSD firewall behind a router running NAT.

Sep 12 17:59:37.043593 rule -1/3(short): block in on vr0: 192.168.2.7 > 224.0.0.2: igmp leave 224.0.0.251 (DF) [ttl 1]
Sep 12 18:16:57.166877 rule -1/3(short): block in on vr0: 192.168.2.7 > 224.0.0.2: igmp leave 224.0.1.1 (DF) [ttl 1]
Sep 12 18:16:57.631251 rule -1/3(short): block in on vr0: 192.168.2.7 > 224.0.0.2: igmp leave 224.0.0.251 (DF) [ttl 1]
Sep 13 16:27:52.318783 rule -1/3(short): block in on vr0: 192.168.2.7 > 224.0.0.2: igmp leave 224.0.1.1 (DF) [ttl 1]
Sep 14 18:39:46.172048 rule -1/3(short): block in on vr0: 192.168.2.7 > 224.0.0.2: igmp leave 224.0.1.1 (DF) [ttl 1]

Is this just NTP requests? I haven't found much on Google... I apologize if this is a waste of everybody's time. I'm just disappointed I haven't seen any hack attempts in my logs.

thedude
September 15th, 2003, 01:09
I also noticed stuff like this:
Jun 02 11:32:48.086610 rule 0/3(short): pass in on xl0: 192.168.2.100 > 224.0.0.
22: igmp-2 [v2] [ttl 1]
Jun 02 11:32:49.050759 rule 0/3(short): pass in on xl0: 192.168.2.100 > 224.0.0.
22: igmp-2 [v2] [ttl 1]
Jun 02 13:43:53.937002 rule -1/3(short): block in on xl0: 192.168.2.101 > 224.0.
0.22: igmp-2 [v2] [ttl 1]
Jun 02 13:43:54.910097 rule -1/3(short): block in on xl0: 192.168.2.101 > 224.0.
0.22: igmp-2 [v2] [ttl 1]
Jun 02 13:54:38.380308 rule -1/3(short): block in on xl0: 169.254.159.100 > 224.
0.0.22: igmp-2 [v2] [ttl 1]
Jun 02 13:54:39.913006 rule -1/3(short): block in on xl0: 169.254.159.100 > 224.

I understand the 169.x requests are just Windows clients trying to auto-configure themselves. But what are those 192.1682.100x addresses doing behind my OpenBSD router/firewall since it's only offering addresses in the 192.168.2.1 -192.168.2.10 range? Checked my dhcpd.leases and saw no entries for 192.168.100 and up.

thedude
September 16th, 2003, 20:09
Any thoughts?

|MiNi0n|
September 16th, 2003, 20:26
What's the corresponding pf rule for this? Is xl0 your external interface?

The log says block in on xl0 so it's incoming, if xl0 is external it's a spoofed IP (or an extremely misdirected one!) from 192.168.x to the 224

bsdjunkie
September 16th, 2003, 20:30
224.x.x.x is reserved for multicasting. specifically the 224.0.0.22 is IGMPv3 Reports, and 224.0.0.2 is all multicast routers. A couple good papers i found off google are below.


http://www.cs.virginia.edu/~cs551ie/slides/cs458-lecture19-mcast.pdf
http://www.ja.net/conferences/networkshop/networkshop_30/G.Fairhurst.pdf

thedude
September 18th, 2003, 22:27
Yeah, xl0 is incoming. Researching why I would be getting multicasts...