[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: can anyone explain this ipfilter log entry?

To: "Roger W. Williams" <spiffer@eclipse.net>,OpenBSD Misc <misc@openbsd.org>
Subject: Re: can anyone explain this ipfilter log entry?
From: Kevin Sindhu <kevin@tgivan.com>
Date: Wed, 27 Dec 2000 09:44:49 -0800
Organization: TGI Techonologies Inc.
References: <20001222161038.A13395@deepthought.invalid>

"Roger W. Williams" wrote:

> I have found out that the protocol is Encapsulated Security Protocol, and I
> believe it has something to do with IPSec, but I don't have that enabled on
> this system.  If anyone has any ideas of what this is, or questions, please
> feel free to ask.
> 
> Dec 22 15:58:31 <my hostname> ipmon[8273]:  15:58:30.331950   tun0 @100:21
> b 195.92.213.11 -> <my dynamic ip>  PR esp len 20 (128) IN

Hello, 

Well, could we have a look at your ipf.rules? In either case, here is
what is going on...

The first field is  obvious,  it's  a timestamp. The  second  field is
also pretty obvious, it's the interface that this  event happened
on.(Dial-up/DSL). The third  field @100:21  is  something  most people
miss. This is the rule
that caused the event to happen.  

If  you  wanted  to  know  where this came from, you could look there 
for rule 21
in rule group 100(ipfstat -hi).  The fourth  field,  the  little "b" 
says that this packet was blocked. The fifth and sixth fields are
pretty  self-explanatory,  they  say where  this packet  came from and
where it was going. The seventh ("PR")  and eighth fields tell you the
protocol and the ninth  field tells  you the size of the packet.  

I am guessing that the person has a misconfigured IPSec/VPN Client..I
cannot think of anything else..I tried to resolv that machine(with no
luck). 

Also attached is the traceroute to that machine, which is self
explantory.

HTH

Kevin

---Traceroute---
(Some fields are ommited)

1   xxx
2   xxx
3   xxx
4   xxx
5  if-7-3.core1.Seattle.Teleglobe.net (64.86.80.210)  13.555 ms  13.624
ms  13.621 ms
6  if-8-0.core1.PaloAlto.Teleglobe.net (207.45.223.73)  56.674 ms 
56.364 ms  56.747 ms
7  p3-2.paix-bi1.bbnplanet.net (4.0.3.218)  56.566 ms  56.317 ms  56.622
ms
8  p7-0.paix-bi2.bbnplanet.net (4.0.3.142)  56.876 ms  56.428 ms  56.555
ms
9  p6-0.paloalto-nbr1.bbnplanet.net (4.0.6.97)  56.128 ms  56.423 ms 
56.827 ms
10  p12-0.snjpca1-br2.bbnplanet.net (4.24.5.197)  57.068 ms  57.955 ms 
57.187 ms
11  p9-0.snjpca1-br1.bbnplanet.net (4.24.9.129)  57.736 ms  57.705 ms 
56.906 ms
12  p9-0.nycmny1-nbr1.bbnplanet.net (4.24.9.158)  111.903 ms  111.949
ms  111.685 ms
13  p1-0.nycmny1-br1.bbnplanet.net (4.24.10.82)  112.043 ms  111.782 ms 
111.313 ms
14  p1-0.nycmny1-ba1.bbnplanet.net (4.24.6.230)  111.807 ms  111.848 ms 
112.144 ms
15  p2-0.frnkge1-cr4.bbnplanet.net (4.24.7.86)  194.044 ms *  194.554 ms
16  p5-0.amstnl2-cr4.bbnplanet.net (195.16.175.206)  200.680 ms  198.416
ms  198.727 ms
17  p1-0.amstnl2-cr3.bbnplanet.net (195.16.175.125)  201.600 ms  199.229
ms  198.453 ms
18  p5-0.londen3-cr3.bbnplanet.net (195.16.175.201)  202.591 ms  198.604
ms  202.009 ms
19  p7-0.londen3-cr4.bbnplanet.net (195.16.160.170)  199.124 ms  198.615
ms  206.656 ms
20  212.133.14.33 (212.133.14.33)  199.196 ms  198.688 ms  200.066 ms
21  p5-0-0.london2-cr1.bbnplanet.net (195.16.175.178)  201.738 ms 
201.155 ms  199.018 ms
22  * s4-1-0.energsquar2.bbnplanet.net (195.16.161.130)  194.275 ms 
200.469 ms
23  Pumpkin.AS5388.NET (195.92.201.3)  194.014 ms  193.809 ms  194.055
ms
24  BNR-1.TCL.AS5388.NET (195.92.201.153)  198.732 ms  200.536 ms 
199.608 ms
25  AC-1.TCL.AS5388.NET (195.92.200.200)  211.819 ms  200.300 ms 
209.879 ms
26  planet-gw.btgplc.com (195.92.90.10)  211.223 ms  210.422 ms  211.941
ms
27  * * *
28  * * *
29  * * *
30  * * *

-- 
Kevin Sindhu
Systems Engineer        			E-Mail: kevin@tgivan.com
TGI Technologies Inc.				Tel: (604) 872-6676 Ext 321
107 E 3rd Ave,					Fax: (604) 872-6601
Vancouver,BC V5T 1C7
Canada.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzlOktwAAAEEAO6TbT34TInn5G5Ani2uTYQgD6N12NlGn98n6zx54OnUOfma
ikm0JzuCgRpnQsWCmIjSjtuWknp07LrkpvIX3SjVqtlrhh9m5+2LssF4Wv8J5PFO
YChnc1HY9H6pN9GheKa88dc/kMKwaG+JIY5QtGGQ9LIxDd3dsW8vIn9YMcrlAAUR
sAGHtBBrZXZpbkB0Z2l2YW4uY29tsAED
=aK0n
-----END PGP PUBLIC KEY BLOCK-----

begin:vcard 
n:Sindhu;Kevin
tel;fax:(604) 872 - 6601
tel;work:(604) 872-6676 ext 321
x-mozilla-html:FALSE
url:http://www.tgivan.com  http://www.pop-star.net  http://www.ucanfax.com
org:TGI Techonologies Inc.
adr:;;107th East 3rd Ave;Vancouver;BC;V5T 1C7;Canada
version:2.1
email;internet:kevin@tgivan.com
title:Systems Engineer
note;quoted-printable:-----BEGIN PGP PUBLIC KEY BLOCK-----=0D=0AVersion: 2.6-thawte=0D=0A=0D=0AmQCAzlOktwAAAEEAO6TbT34TInn5G5Ani2uTYQgD6N12NlGn98n6zx54OnUOfma=0D=0Aikm0JzuCgpnQsWCmIjSjtuWknp07LrkpvIX3SjVqtlrhh9m5+2LssF4Wv8J5PFO=0D=0AYChnc1HY9H6pN9GeKa88dc/kMKwaG+JIY5QtGGQ9LIxDd3dsW8vIn9YMcrlAAUR=0D=0AtClUaGF3dGUgRnJlZW1hawgTWVtYmVyIDxrZXZpbkB0Z2l2YW4uY29tPokAlQMF=0D=0AEDlaiDzCc+Uw3kb1TwEBQqcD/2w7w40Zw53ij4CCAZLOy6VP8ezYs9a8g2qDWNE=0D=0AQG4kAElqOz6+53tYwJYEH4navxSqt28GOVGstpfhTSnU/CYvUk+3UjftT9HVuSd=0D=0ATGkvHI84Y/VWdHYvq4yzCag0eXdaq0jpf+7TUiBo7xCnAmlos9GC3NSXqMGa5z7=0D=0A56yU=0D=0A=3DKBtE=0D=0A-----END PGP PUBLIC KE BLOCK-----=0D=0A
x-mozilla-cpt:;-256
fn:Kevin Sindhu
end:vcard

References:
- can anyone explain this ipfilter log entry?
  - From: "Roger W. Williams" <spiffer@eclipse.net>

Prev by Date: Re: Problems upgrading from 2.7 to 2.8
Next by Date: Re: Webgear: "ifconfig ray0 nwid HOME" gives "SIOCS80211NWID invalidargument"
Prev by thread: can anyone explain this ipfilter log entry?
Next by thread: zebra port broken...
Index(es):
- Date
- Thread