I think i found what the alert was all about. And the setup does actually work believe it or not. It might look clumsy and awful, and not a patch on the SuSEfirewall script, but it was just my first attempts to understand packet filtering. This rule: ipchains -A input -p udp -s ! $INTERNAL -d ! $INTERNAL -j ACCEPT this lets UDP's for ICQ through. My firewall machine has a dynamic ppp address so that isn't on the INTERNAL network. What the rule was saying is allow UDP from an external machine to any other external machine, really meaning allow the dynamic external ppp address to talk to any other external address and vice versa. I know it looks clumsy and basically just awful but it let me send an ICQ UDP packet from my internal machine to the router, and then allowed the router to send it down the ppp link, and allow the reply to the masqued UDP packet back in. I'm not far enough into it to write a more sophisticated rule, hence the note to the list for help. I will use the SuSEfirewall with the suggested input. your assesment of this rule ipchains -A forward -s $INTERNAL -d $INTERNAL -j ACCEPT is right, i shouldn't need to forward the internal networks, they should talk to each other. I just had a problem in the beginning when i didn't. I can't remeber off the top of my head what it was. this rule was a secondary stop for external to internal. ipchains -A forward -s ! $INTERNAL -d $INTERNAL -j REJECT from reading ipchains documentation, a reply to a masqed packet which is demasqued doesnt go through the forward chain. so the masqed reply is not affected by this rule, but the intent was that if someone got through the no SYN block and tried to contact a machine not masqed it would be stopped here. I believe ICQ uses UDP from 4000 upwards. I do have the module ip_masq_ftp running. When really looking into it now, and with your hint where the packets came from, i think they correspond to an ftp started by myself to a server. That looks to have triggered the portscan alert. I was unaware that was the ip address, as i access it with a dns name. seems they dont do a reverse dns lookup, hence the no host, which is what got me suspicious in the first place, well that and about 12 warning lines about being portscanned!
it won't be possible to adressa package to an adress with 192.168.x.x - it never would find the way to you. it would be only possible to scan that host from within your net and for this your router must be hacked and the sender address would not be from outside your network.
Thats what I thought, I investigated the router and found no evidence of it being hacked, or even looked at (although i am aware that if they had hacked it they would have removed traces). It all just didnt add up for this newbie and hence the email to the list. I understand a bit more now that I did yesterday. Thanks for the reply Stephan. I have it fixed now. If I've wasted anybody's bandwidth, you have my appologies. Stephen Thompson