Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
RE: [suse-security] firewall log question
- From: sis.frohn@xxxxxx
- Date: Tue, 13 Nov 2001 09:26:59 +0100 (MET)
- Message-id: <26733.1005640019@xxxxxxxxxxxxx>
On Wed, 14 Nov 2001, Michael Appeldorn wrote:
> >I run a small server with a permanent internet connection. This server
> >acts as proxy to supply about 10 win clients with access to the internet.
> >The internal network uses addresses like 192.168.1.n (that's on my eth0).
>
> >I am confused by the following messages in my firewall log:
>
> >Nov 12 16:01:25 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> >192.168.250.111:8770 192.168.250.0:37 L=44 S=0x00 I=19680 F=0x0000 T=60
SYN
> (#21)
>
> >What confuses me is the fact that the source (192.168.250.111) is not
part
> >of my subnet and that the dest. (192.168.250.0) is not my computer.
>
> So - the packets that are reject by the firewall come across the internet
> side
> of your box eth1 - while - so you wrote - eth0 is your interface to
> internal.
>
> >I do not understand how this class c type packets get on my network
> >segment (when I understand things right, those addresses are not routed
> >at all). I just can tell that as soon as I pull the plug of eth1 those
> >messages vanish (no big surprise).
>
> Its possible to receive packets with class C IP's from external interface
-
> while this may be a lan to - the lan of your provider !!!
>
> The packets goes to destiniation port 37, protocol tcp - what is the time
> server !!
>
> Maybe 192.168.250.0 is the IP of your external interface ?
>
No, it isn't. It is a valid IP starting with 212.something. That is the
LAN of the provider which is not a class c network.
Yes, somebody want's to know the time. I do not assume an attack. I am
just wandering why my firewall cares because the IPs do not match.
Josef
> Michael
>
>
--
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
> >I run a small server with a permanent internet connection. This server
> >acts as proxy to supply about 10 win clients with access to the internet.
> >The internal network uses addresses like 192.168.1.n (that's on my eth0).
>
> >I am confused by the following messages in my firewall log:
>
> >Nov 12 16:01:25 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> >192.168.250.111:8770 192.168.250.0:37 L=44 S=0x00 I=19680 F=0x0000 T=60
SYN
> (#21)
>
> >What confuses me is the fact that the source (192.168.250.111) is not
part
> >of my subnet and that the dest. (192.168.250.0) is not my computer.
>
> So - the packets that are reject by the firewall come across the internet
> side
> of your box eth1 - while - so you wrote - eth0 is your interface to
> internal.
>
> >I do not understand how this class c type packets get on my network
> >segment (when I understand things right, those addresses are not routed
> >at all). I just can tell that as soon as I pull the plug of eth1 those
> >messages vanish (no big surprise).
>
> Its possible to receive packets with class C IP's from external interface
-
> while this may be a lan to - the lan of your provider !!!
>
> The packets goes to destiniation port 37, protocol tcp - what is the time
> server !!
>
> Maybe 192.168.250.0 is the IP of your external interface ?
>
No, it isn't. It is a valid IP starting with 212.something. That is the
LAN of the provider which is not a class c network.
Yes, somebody want's to know the time. I do not assume an attack. I am
just wandering why my firewall cares because the IPs do not match.
Josef
> Michael
>
>
--
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
| < Previous | Next > |