Hi,
I saw this today on my firewall:
Nov 01 12:51:10.857175 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: FPE [bad hdr length] (DF)
Nov 01 12:51:12.724286 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: FPE 1137099714:1137099726(12) ack 0 win
6667 urg 0 (DF)
Nov 01 12:51:14.027193 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SFR [bad hdr length] (DF)
Nov 01 12:51:15.692047 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: RPWE [bad hdr length] (DF)
Nov 01 12:51:16.121181 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SFPW [bad hdr length] (DF)
Nov 01 12:51:17.962807 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SE [bad hdr length] (DF)
Nov 01 12:51:21.934774 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SFW [bad hdr length] (DF)
Nov 01 12:51:26.985783 rule def/(short) pass in on vlanxxx:
74.206.235.92.0 > xx.xx.xx.xx.0: SRPWE 1137099714:1137099730(16) win
The internal addresses are changing so it's something like a port scan...
I 've added first rule in pf
block drop quick from 74.206.235.92
block drop quick to 74.206.235.92
@0 block drop quick inet from 74.206.235.92 to any
[ Evaluations: 36837 Packets: 2 Bytes: 96 States: 0 ]
[ Inserted: uid 0 pid 12234 State Creations: 0 ]
@1 block drop quick inet from any to 74.206.235.92
[ Evaluations: 36743 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 12234 State Creations: 0 ]
apparently something is blocked, but also something is passed since I
still get these mesages
on my pflog.
pfctl -ss shows no state for 74.206.235.92
How can I block these? What is it exactly ?
regards,
Giannis
