Home | Content | Search | Navigation | Indexes
 

Mailinglist Archive: opensuse-security (670 mails)

< Previous Next >
Re: [suse-security] firewall log question
  • From: Ray Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 13 Nov 2001 11:31:25 +0200
  • Message-id: <3BF0E86D.9C46A0B@xxxxxxxxxxxxxxxxxxxxxx>


sis.frohn@xxxxxx wrote:

> On Wed, 14 Nov 2001, Michael Appeldorn wrote:
>
> > >I run a small server with a permanent internet connection. This server
> > >acts as proxy to supply about 10 win clients with access to the internet.
> > >The internal network uses addresses like 192.168.1.n (that's on my eth0).
> >
> > >I am confused by the following messages in my firewall log:
> >
> > >Nov 12 16:01:25 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > >192.168.250.111:8770 192.168.250.0:37 L=44 S=0x00 I=19680 F=0x0000 T=60
> SYN
> > (#21)
> >
> > >What confuses me is the fact that the source (192.168.250.111) is not
> part
> > >of my subnet and that the dest. (192.168.250.0) is not my computer.
> >
> > So - the packets that are reject by the firewall come across the internet
> > side
> > of your box eth1 - while - so you wrote - eth0 is your interface to
> > internal.
> >
> > >I do not understand how this class c type packets get on my network
> > >segment (when I understand things right, those addresses are not routed
> > >at all). I just can tell that as soon as I pull the plug of eth1 those
> > >messages vanish (no big surprise).
> >
> > Its possible to receive packets with class C IP's from external interface
> -
> > while this may be a lan to - the lan of your provider !!!
> >
> > The packets goes to destiniation port 37, protocol tcp - what is the time
> > server !!
> >
> > Maybe 192.168.250.0 is the IP of your external interface ?
> >
> No, it isn't. It is a valid IP starting with 212.something. That is the
> LAN of the provider which is not a class c network.
>
> Yes, somebody want's to know the time. I do not assume an attack. I am
> just wandering why my firewall cares because the IPs do not match.

The firewall cares because this is a SYN packet coming from the internet. It is
probably configured to not allow internet traffic to create connections.

>
>
> Josef
>
> > Michael
> >
> >
>
> --
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

--
----------------------------------------------------------------------
Raymond Leach
Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007
eMail:raymondl@xxxxxxxxxxxxxxxxxxxxxx
www:http://www.knowledgefactory.co.za
"No matter where you go, there you are ..."
----------------------------------------------------------------------



< Previous Next >
References