I block and log rfc 1918 connection attempts and am seeing the following in pflog continuously ad nauseum:
Apr 10 15:10:21.414289 rule 9/(match) block in on fxp1: 172.21.153.70.6293 > 68.61.77.3.50716: [|tcp] (DF) [tos 0x20] Apr 10 15:10:22.833822 rule 9/(match) block in on fxp1: 172.21.233.57.6293 > 68.61.77.3.54518: [|tcp] (DF) [tos 0x20] Apr 10 15:10:23.789209 rule 9/(match) block in on fxp1: 172.21.153.22.6293 > 68.61.77.3.57836: [|tcp] (DF) [tos 0x20] Apr 10 15:10:24.256891 rule 9/(match) block in on fxp1: 172.21.97.2.6293 > 68.61.77.3.50417: [|tcp] (DF) [tos 0x20] Apr 10 15:10:24.821674 rule 9/(match) block in on fxp1: 172.21.225.72.6293 > 68.61.77.3.53965: [|tcp] [tos 0x20] Apr 10 15:11:28.559238 rule 9/(match) block in on fxp1: 172.21.240.45.6293 > 68.61.77.3.58733: [|tcp] (DF) [tos 0x20] Apr 10 15:11:29.397925 rule 9/(match) block in on fxp1: 172.21.240.63.6293 > 68.61.77.3.62274: [|tcp] [tos 0x20] The source IP addresses do repeat (but not in a specific order) and the source port remains constant at 6293. As these addresses (AFAIK) aren't generally routed I'm wondering about their source. Possibly all spoofed, but as I'm using cable service, they could also be from a system on the local shared subnet. Another thought is that the ISP (Comcast) is using and routing them for their own purposes (VOIP service, etc.). Any ideas? Thanks. -- Chris
