[fwAnalog] Blocked Packet Report clarification

From: WR (gen2~AT~planetofidiots.com)
Date: Sun Dec 21 2003 - 22:05:49 CET



Hi all

I'm new to fwanalog, have it running on openBSD3.4, and it seems to be working quite well. For the first week of logging, the Blocked Packet Report section at the top showed stuff like whats at the bottom here, which shows my (old, temporary) IP address. Whenever I reset my pppoe connection, the IP in the blocked packet column reflected that, and there was a list section for each IP I was assigned by my ISP. This all made perfect sense until recently, when I'm seeing new IPs in that column that definitely are not mine, completely different. So now I'm not sure what this column includes/excludes, or where these not-mine IPs are derived. Could someone tell me what exactly Im seeing there, and why there are external host IPs?

THANKS!

#blocks: %blocks: kbytes:       last time: blocked packet
-------: -------: ------: ---------------: --------------
    398:  83.79%:  18.84: Dec/20/03 14:11: 63.196.240.98
    204:  42.95%:  18.84: Dec/20/03 14:11:   63.196.240.98/udp
    152:  32.00%:   5.20: Dec/20/03 14:11:     63.196.240.98:3703/udp
     29:   6.11%:   1.42: Dec/20/03 13:10:     63.196.240.98:netbios-ns

(137)/udp
14: 2.95%: 5.14: Dec/20/03 13:12: 63.196.240.98:ms-sql-m
(1434)/udp
7: 1.47%: 6.01: Dec/20/03 13:38: 63.196.240.98:loc-srv
(135)/udp
2: 0.42%: 1.07: Dec/20/03 05:21: 63.196.240.98:1026/udp 194: 40.84%: 0.00: Dec/20/03 14:05: 63.196.240.98/tcp 57: 12.00%: 0.00: Dec/20/03 13:45: 63.196.240.98:6348/tcp 57: 12.00%: 0.00: Dec/20/03 14:05: 63.196.240.98:microsoft-ds
(445)/tcp
37: 7.79%: 0.00: Dec/20/03 12:08: 63.196.240.98:gnutella-svc
(6346)/tcp
8: 1.68%: 0.00: Dec/20/03 12:06: 63.196.240.98:netbios-ssn

(139)/tcp


This archive was generated by hypermail 2.1.5 : Mon Dec 22 2003 - 23:02:04 CET