Hi there! I have this weird problem with my SuSEFirewall2 on SuSE 9.0. I haven't opened any ports intentionally, but my log file says, that a lot of access attempts on highports get THROUGH the firewall. I have hundreds of entries like this in my /var/log/messages file: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00 SRC=213.165.x.x DST=192.168.0.2 LEN=73 TOS=0x00 PREC=0x00 TTL=57 ID=16216 DF PROTO=TCP SPT=110 DPT=1435 WINDOW=5792 RES=0x00 ACK PSH URGP=0 OPT (0101080A0A4992810070F15B) My computer is behind a router/firewall. Someone tries to connect at port 1435 (and a lot of different other highports as well!). I disabled access to highports and I only allowed DNS and DHCLIENT as valid services. At least this was what I was thinking! Here's all the settings of my SuSEFirewall2 file. If anybody could explain waht's going on I'd really be grateful. FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DHCLIENT="yes" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_REJECT="no" FW_HTB_TUNE_DEV="" yours, markus.
/ 2004-05-10 22:01:12 +0200 \ Markus A. Radner:
Hi there!
I have this weird problem with my SuSEFirewall2 on SuSE 9.0.
if rpm -qf /sbin/SuSEfirewall2 shows something older than SuSEfirewall2-3.1-206, please upgrade. iirc, there has been some version that got the log prefixes wrong, and reported ACCEPT to syslog where actually it correctly *did* a REJECT or DROP as configured. Lars Ellenberg
Markus A. Radner wrote:
SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00 SRC=213.165.x.x DST=192.168.0.2 LEN=73 TOS=0x00 PREC=0x00 TTL=57 ID=16216 DF PROTO=TCP SPT=110 DPT=1435 WINDOW=5792 RES=0x00 ACK PSH URGP=0 OPT (0101080A0A4992810070F15B)
My computer is behind a router/firewall. Someone tries to connect at port 1435 (and a lot of different other highports as well!).
No. Your POP3-Server is sending you an answer to your client port 1045. A new connection would read "SYN ACK" in the flags part of the dumped packet. Check if the name of the configured POP3-server in your mailclient resolves to the IP address in your logfile. -- Have fun, Peter
Hi, thanks everbody for your comments. I checked the version of my SuSEFirewall2 and it is not outdated. But thank you for that suggestion. What I didn't know - oh bloody beginner! - is that the firewall "remembers" outgoing requests and opens for the answers. OK, could have guessed that, though. Just one more question: Is there any command or tool that can display which services or programs are running on a certain port on my computer? If you take a look at the following entry of my log file you will see that someone from source port 80 is connecting to (or trying to?) my local port 1077. So I am curious. Which software is running there, or at any other (high) port of interest? Is there any way to find out? (OK, I know that there's a list of ports and protocolls for low ports in /etc/protocolls; but what about higher ports?) SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00 SRC=64.151.x.x DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=2083 PROTO=TCP SPT=80 DPT=1077 WINDOW=7504 RES=0x00 ACK URGP=0 OPT (0101080A91D5DF560015679A) Thanks again! markus. On Monday 10 May 2004 22:01, Markus A. Radner wrote:
Hi there!
I have this weird problem with my SuSEFirewall2 on SuSE 9.0. I haven't opened any ports intentionally, but my log file says, that a lot of access attempts on highports get THROUGH the firewall.
I have hundreds of entries like this in my /var/log/messages file:
SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00 SRC=213.165.x.x DST=192.168.0.2 LEN=73 TOS=0x00 PREC=0x00 TTL=57 ID=16216 DF PROTO=TCP SPT=110 DPT=1435 WINDOW=5792 RES=0x00 ACK PSH URGP=0 OPT (0101080A0A4992810070F15B)
My computer is behind a router/firewall. Someone tries to connect at port 1435 (and a lot of different other highports as well!). I disabled access to highports and I only allowed DNS and DHCLIENT as valid services. At least this was what I was thinking! Here's all the settings of my SuSEFirewall2 file. If anybody could explain waht's going on I'd really be grateful.
FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DHCLIENT="yes" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_REJECT="no" FW_HTB_TUNE_DEV=""
yours, markus.
Am Dienstag, 11. Mai 2004 12:58 schrieb Markus A. Radner:
Just one more question: Is there any command or tool that can display which services or programs are running on a certain port on my computer? If you take a look at the following entry of my log file you will see that someone from source port 80 is connecting to (or trying to?) my local port 1077. So I am curious. Which software is running there, or at any other (high) port of interest? Is there any way to find out? (OK, I know that there's a list of ports and protocolls for low ports in /etc/protocolls; but what about higher ports?)
try one of those: "lsof -i -P -T" (my favorite) or netstat (rtfm for parameters) Regards Christian
Am Dienstag, 11. Mai 2004 12:58 schrieb Markus A. Radner:
Just one more question: Is there any command or tool that can display which services or programs are running on a certain port on my computer? [...]
Markus, try netstat :) and search for your port. -- Mfg Christian ------------------------------------------------ Auszubildender im Rechenzentrum, Universität Greifswald
Hi Markus,
Just one more question: Is there any command or tool that can display which services or programs are running on a certain port on my computer?
--> Try "netstat -pat" and "netstat -pau" Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Markus A. Radner wrote:
If you take a look at the following entry of my log file you will see that someone from source port 80 is connecting to (or trying to?) my local port 1077. So I am curious. Which software is running there, or at any other (high) port of interest? Is there any way to find out? (OK, I know that there's a list of ports and protocolls for low ports in /etc/protocolls; but what about higher ports?)
SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00 SRC=64.151.x.x DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=2083 PROTO=TCP SPT=80 DPT=1077 WINDOW=7504 RES=0x00 ACK URGP=0 OPT (0101080A91D5DF560015679A)
Again, this is the *answer* from the http server at 64.151.x.x, port 80. Basically (most times), tcp/udp services accept connections on low ports (<1024), and clients connect to these services using high ports (>1024). Return packets use the same connection (ports). Robbert
If you take a look at the following entry of my log file you will see that someone from source port 80 is connecting to (or trying to?) my local port 1077. So I am curious. Which software is running
Markus A. Radner wrote: there, or at any
other (high) port of interest? Is there any way to find out? (OK, I know that there's a list of ports and protocolls for low ports in /etc/protocolls; but what about higher ports?)
SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00 SRC=64.151.x.x DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=2083 PROTO=TCP SPT=80 DPT=1077 WINDOW=7504 RES=0x00 ACK URGP=0 OPT (0101080A91D5DF560015679A)
Again, this is the *answer* from the http server at 64.151.x.x, port 80. Basically (most times), tcp/udp services accept connections on low ports (<1024), and clients connect to these services using high ports (>1024). Return packets use the same connection (ports).
And don't forget that NAT has been done meanwhile. NO ONE CAN ROUTE TO THE LOCAL 192.168.0.2 Address from outside. Exactly you have to say that NAT (Network Address Translation) and PAT will be done by the SUSE Firewall. Both in combination is called MASQUERADING. This manipulates the answer-packages. Otherwise your LAN behind the firewall can't address locations in the internet. I am sure that you have only one official IP given by your provider! All clients in your LAN have to share this one IP. And this will be done by MASQUERADING. So you can't conclude from the given log-entry to the real allocated port from outside. For this you have to do a *tcpdump* on your outside-interface. And then do another http-request. This will answer many of the confusion. Tom
Hi. Please, please, please... Can anyone tell me how to use PAT under SuSEFirewall2? Sorry for using this thread to ask this, but Tom mentioned it and I got nervous because I have been trying it for a while. In the end, used squid for apache, but I found nothing for ssh and cvs, so that I have to check the firewall along with both the ssh , the cvs and snort logs. Regards. El Martes, 11 de Mayo de 2004 17:32, Tom Kramer escribió:
If you take a look at the following entry of my log file you will see that someone from source port 80 is connecting to (or trying to?) my local port 1077. So I am curious. Which software is running
Markus A. Radner wrote: there, or at any
other (high) port of interest? Is there any way to find out? (OK, I know that there's a list of ports and protocolls for low ports in /etc/protocolls; but what about higher ports?)
SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00 SRC=64.151.x.x DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=2083 PROTO=TCP SPT=80 DPT=1077 WINDOW=7504 RES=0x00 ACK URGP=0 OPT (0101080A91D5DF560015679A)
Again, this is the *answer* from the http server at 64.151.x.x, port 80. Basically (most times), tcp/udp services accept connections on low ports (<1024), and clients connect to these services using high ports (>1024). Return packets use the same connection (ports).
And don't forget that NAT has been done meanwhile. NO ONE CAN ROUTE TO THE LOCAL 192.168.0.2 Address from outside. Exactly you have to say that NAT (Network Address Translation) and PAT will be done by the SUSE Firewall. Both in combination is called MASQUERADING. This manipulates the answer-packages.
Otherwise your LAN behind the firewall can't address locations in the internet. I am sure that you have only one official IP given by your provider! All clients in your LAN have to share this one IP. And this will be done by MASQUERADING.
So you can't conclude from the given log-entry to the real allocated port from outside.
For this you have to do a *tcpdump* on your outside-interface. And then do another http-request. This will answer many of the confusion.
Tom
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- --------------------------------------------------------------------------------- Manuel Balderrábano e-mail: garibolo@wanadoo.es ---------------------------------------------------------------------------------
-----Original Message----- From: Manuel Balderrábano [mailto:garibolo@wanadoo.es] Sent: Tuesday, May 11, 2004 5:42 PM To: suse-security@suse.com Subject: Re: [suse-security] SuSEFirewall doesn't work?
Hi.
Please, please, please... Can anyone tell me how to use PAT under SuSEFirewall2?
Sorry for using this thread to ask this, but Tom mentioned it and I got nervous because I have been trying it for a while. In the end, used squid for apache, but I found nothing for ssh and cvs, so that I have to check the firewall along with both the ssh , the cvs and snort logs.
I don't know what you want to do exactly but check this: http://www.sun.com/bigadmin/content/submitted/squid_proxy.html Maybe this is the answer you are looking for: ".... You probably have a more sophisticated NetFilter setup. However, there is one line that you need to redirect inbound traffic on port 80 to Squid on port 3128: iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 ...."
participants (9)
-
Armin Schoech
-
Christian Heim
-
Christian Hernmarck
-
Lars Ellenberg
-
Manuel Balderrábano
-
Markus A. Radner
-
Peter Wiersig
-
Robbert Eggermont
-
Tom Kramer