Re: having trouble reading ipf logs ... different than documentation ?

["list tracker" <list_tracker () hotmail com>]

> The reason you don't know port number is because for protocol 162 there
> is no port number and besides which it is a fragment (although the endian
> decoding is wrong in the length).
>
> Oh, it was neither a "block" or "pass" rule that generated that output,
> it was a "log" rule - if that helps.


Ok, here is the entries I have:

block return-rst in log proto tcp from any to any port = 23
block out log proto tcp/udp from any to any port = 23
block return-icmp-as-dest(port-unr) in log proto udp from any to any port = 
23

As you can see, I am blocking all port 23 traffic - both UDP and TCP, both 
inbound and outbound.  And I am doing it with return-rst so that when people 
scan with nmap, it doesn't show up as blocked.

And as I said, this is what I have in the logs when I try to telnet OUT of 
my network:

Feb  2 15:55:45 gateway ipmon[28872]: 15:55:44.703055 2x fxp1 @0:0 L 
126.6.103.124 -> 10.10.10.10 PR micp len 0 (49185) frag 49185@384
Feb  2 15:55:46 gateway ipmon[28872]: 15:55:45.702803 fxp1 @0:0 L 
126.6.100.124 -> 10.10.10.10 PR encap len 0 (49185) frag 49185@384

no ports, which is the first problem, second, who the heck is 126.6.100.124 
- they are nowhere on my network, and they are NOT the Ip that I tried to 
telnet to.  No idea where it is or where it is coming from.  Does not 
respond to ping.

Basically I just want to know when someone tries to telnet in or out, but 
the logs produced by telnet traffic do not seem to indicate telnet in any 
way...

Comments appreciated,

LT

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards