BSD DevCenter
oreilly.comSafari Books Online.Conferences.


Monitoring IPFW Logs
Pages: 1, 2

Also in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

Unfortunately, not all packets sent to your computer are as benign as the examples I gave for ports 119 and 113. If someone was looking for a machine to compromise, they could in theory try to get in on any open port. Fortunately, they usually tend to use common exploits on a few "notorious" trojan ports. There will be times when you are reading your firewall log that you'll be glad you that you took the time necessary to create and maintain your firewall.

There are numerous resources on the Internet to find out which ports are used by which exploits. One of the best places to start is with Robert Graham's "What am I seeing? FAQ":

If you come across a port you haven't seen before, there is a comprehensive port search utility here.

If you'd like to see a list of common trojans sorted by different categories, try this page.

The above resources will help to satisfy your curiosity concerning the entries that appear in your firewall log, but the question still remains: What, if anything, can I do about these entries? You can send a polite email with a copy of the firewall entries to either the host's service provider or to the administrator of the network where the host resides. To find out who to send the email to, do a:

dig -x IP_address_of_sender

to get the host name of the machine that sent the undesirable packets. You can then try a whois query on the last portion (or TLD) of the host name to see who registered that TLD (top-level domain). For example, I received a lot of netbus (a common trojan) entries from a host whose name ended with "". When I ran the whois utility, I received the following response:

Whois Server Version 1.3
Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to for detailed information.


To single out one record, look it up with "xxx", where xxx is one of the of the records displayed above. If the records are the same, look them up with =xxx to receive a full display for each record.

>>> Last update of whois database: Thu, 28 Jun 2001 02:04:50 EDT <<<

The registry database contains only .com, .net, .org, .edu, domains and registrars.

Because there were two registrants that had "" as part of their name, I re-ran the inquiry like so:

<snip output>

Home Network (HOME-DOM)
   425 Broadway St.
   Redwood City, CA 94063

   Domain Name: HOME.COM

   Administrative Contact, Technical Contact:
      DNS Administration  (DA24627-OR)  abuse@HOME.COM
      @Home Network
      425 Broadway St
      Redwood City , CA 94063
      Fax- 650-556-6666

Because this is a service provider, I'm not surprised that the email address of the administrative contact is "". If this had been a small company who had not set up an "abuse" email account, I could instead send an email to the person listed in the "Administrative Contact, Technical Contact" section.

You'll note from the original whois query that there are several competing registrars. If you don't receive any results from your whois query, the host probably lives in a different portion of the globe and its TLD may be registered in a different database. The whois utility on your FreeBSD system has several switches to allow you to query the various whois databases. The following useful switches are taken from man whois:

WHOIS(1)    FreeBSD General Commands Manual    WHOIS(1)

Whois looks up records in the databases maintained by 
several Network Information Centers (NICs).

The options are as follows:

-p   Use the Asia/Pacific Network Information Center 
     (APNIC) database. It contains network numbers used 
     in East Asia, Australia, New Zealand, and the 
     Pacific islands.

-r   Use the R'eseaux IP Europ'eens (RIPE) database.  It 
     contains network numbers and domain contact 
     information for Europe.


A common complaint from those who take the time to send polite email is that they never receive acknowledgement that their email was even received or that any satisfactory action against the offending host took place. As a result, many administrators now upload their firewall logs to a centralized database. There are several interesting initiatives available; even if you don't want to participate, you can still view the accumulated statistics to see which ports are being probed and by whom.

One initiative is at Its script allows you to upload your ipfw logs and I will be demonstrating its usage in a future article.

Another is at They accept snort logs and I'll cover this initiative in more depth later on this year when I demonstrate creating an intrusion detection system with snort. Securityfocus also has several valuable mailing lists. My favorite is the "incidents" mailing list. You can read the archives or sign up for any of their mailing lists at

Yet another initiative is at, which is headed up by the SANS Institute. If you are interested in security issues, it sends out a weekly newsletter via email. To subscribe, email with the subject line: Subscribe Newsbites

The links mentioned in today's article should get you started on understanding the entries in your firewall log. In next week's article, I'd like to take a break from firewalls and do my semi-annual tour through the ports collection.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.

Read more FreeBSD Basics columns.

Return to the BSD DevCenter.

Sponsored by: