Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
Re: [suse-security] firewall log question
- From: sis.frohn@xxxxxx
- Date: Tue, 13 Nov 2001 08:17:28 +0100 (MET)
- Message-id: <24330.1005635848@xxxxxxxxxxxxx>
On Tue, 13 Nov 2001, Ray Leach wrote:
> Hi
>
> sis.frohn@xxxxxx wrote:
>
> > Hi List,
> >
> > I run a small server with a permanent internet connection. This server
> > acts as proxy to supply about 10 win clients with access to the
internet.
> > The internal network uses addresses like 192.168.1.n (that's on my
eth0).
> >
>
> What is your subnet mask?
>
My subnet (internet side, eth1) uses addresses like 212.something
> >
> > I use the "personal firewall" to block all incoming connections on my
eth1
> > (the internet side).
> >
> > I am confused by the following messages in my firewall log:
> >
> > Nov 12 16:01:25 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:8770 192.168.250.0:37 L=44 S=0x00 I=19680 F=0x0000 T=60
SYN (#21)
>
> These could be SYN packets that are new connections comming from the
internet. Your
> ISP may have you on a 192.168.250.x subnet.
No.
And I contacted the provider but have no response so far. I can't even
ping that machine (192.168.250.111 - not very friendly).
>
> >
> > Nov 12 16:01:45 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:8770 192.168.250.0:37 L=44 S=0x00 I=19681 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:02:05 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:8770 192.168.250.0:37 L=44 S=0x00 I=19682 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:02:45 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:8770 192.168.250.0:37 L=44 S=0x00 I=19683 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:02:54 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:2627 192.168.250.0:37 L=44 S=0x00 I=19685 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:02:59 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:2627 192.168.250.0:37 L=44 S=0x00 I=19686 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:03:09 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:2627 192.168.250.0:37 L=44 S=0x00 I=19687 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:03:29 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:2627 192.168.250.0:37 L=44 S=0x00 I=19688 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:03:49 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:2627 192.168.250.0:37 L=44 S=0x00 I=19689 F=0x0000 T=60
SYN (#21)
> >
> > This really fills up my log file.
> >
> > What confuses me is the fact that the source (192.168.250.111) is not
part
> > of my subnet and that the dest. (192.168.250.0) is not my computer.
>
> >
> > I do not understand how this class c type packets get on my network
> > segment (when I understand things right, those addresses are not routed
> > at all). I just can tell that as soon as I pull the plug of eth1 those
> > messages vanish (no big surprise).
> >
> > I am not an computer expert so forgive me in case this is a totally
> > stupid question. But I could not find an answer to my question in the
> > literature...
> >
> > Thank you for your help,
> >
> > Josef
> >
> > --
> > J. Frohn
--
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
> Hi
>
> sis.frohn@xxxxxx wrote:
>
> > Hi List,
> >
> > I run a small server with a permanent internet connection. This server
> > acts as proxy to supply about 10 win clients with access to the
internet.
> > The internal network uses addresses like 192.168.1.n (that's on my
eth0).
> >
>
> What is your subnet mask?
>
My subnet (internet side, eth1) uses addresses like 212.something
> >
> > I use the "personal firewall" to block all incoming connections on my
eth1
> > (the internet side).
> >
> > I am confused by the following messages in my firewall log:
> >
> > Nov 12 16:01:25 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:8770 192.168.250.0:37 L=44 S=0x00 I=19680 F=0x0000 T=60
SYN (#21)
>
> These could be SYN packets that are new connections comming from the
internet. Your
> ISP may have you on a 192.168.250.x subnet.
No.
And I contacted the provider but have no response so far. I can't even
ping that machine (192.168.250.111 - not very friendly).
>
> >
> > Nov 12 16:01:45 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:8770 192.168.250.0:37 L=44 S=0x00 I=19681 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:02:05 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:8770 192.168.250.0:37 L=44 S=0x00 I=19682 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:02:45 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:8770 192.168.250.0:37 L=44 S=0x00 I=19683 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:02:54 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:2627 192.168.250.0:37 L=44 S=0x00 I=19685 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:02:59 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:2627 192.168.250.0:37 L=44 S=0x00 I=19686 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:03:09 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:2627 192.168.250.0:37 L=44 S=0x00 I=19687 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:03:29 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:2627 192.168.250.0:37 L=44 S=0x00 I=19688 F=0x0000 T=60
SYN (#21)
> > Nov 12 16:03:49 server kernel: Packet log: rulchain REJECT eth1 PROTO=6
> > 192.168.250.111:2627 192.168.250.0:37 L=44 S=0x00 I=19689 F=0x0000 T=60
SYN (#21)
> >
> > This really fills up my log file.
> >
> > What confuses me is the fact that the source (192.168.250.111) is not
part
> > of my subnet and that the dest. (192.168.250.0) is not my computer.
>
> >
> > I do not understand how this class c type packets get on my network
> > segment (when I understand things right, those addresses are not routed
> > at all). I just can tell that as soon as I pull the plug of eth1 those
> > messages vanish (no big surprise).
> >
> > I am not an computer expert so forgive me in case this is a totally
> > stupid question. But I could not find an answer to my question in the
> > literature...
> >
> > Thank you for your help,
> >
> > Josef
> >
> > --
> > J. Frohn
--
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
| < Previous | Next > |