What does this packet log message mean?
Hello! I build a linux firewall with SuSE linux and ipchains. I've set up rules for FTP and SSH. (Firewall 201.0.0.1, Server wich provides FTP and ssh (also a Linux box)200.0.0.1, local net 192.168.2.0/24) Every time when I try to do ssh or FTP to another host outside my local net, I see in my log files something like: kernel: Packet log: eth1-i DENY eth1 PROTO=6 200.0.0.1:1043 201.0.0.1:113 L=60 S=0x00 I=152 F=0x4000 T=64 SYN (#5) and kernel: Packet log: eth1-o DENY eth1 PROTO=6 201.0.0.1:113 200.0.0.1:1044 L=40 S=0x00 I=888 F=0x0000 T=255 (#2) Does anybody know what causes this traffic? Sven
kernel: Packet log: eth1-i DENY eth1 PROTO=6 200.0.0.1:1043 201.0.0.1:113 L=60 S=0x00 I=152 F=0x4000 T=64 SYN (#5) and kernel: Packet log: eth1-o DENY eth1 PROTO=6 201.0.0.1:113 200.0.0.1:1044 L=40 S=0x00 I=888 F=0x0000 T=255 (#2) These are TCP requests on port 113, which is the ident/auth port. It tells
Hi On Tue, Sep 26, 2000 at 07:34:20PM +0200, Sven Schultheiß wrote: the requester which UID/user runs a certain service.
Does anybody know what causes this traffic? This could be daemons which have requested the ident in their respective config or your iplogger, which does this, whenever a TCP/UDP connection comes in. You should check ftpd, httpd and iplogger configuration files first.
MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de ref@linux.com GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB ar@rhwd.net 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO
kernel: Packet log: eth1-i DENY eth1 PROTO=6 200.0.0.1:1043 201.0.0.1:113 L=60 S=0x00 I=152 F=0x4000 T=64 SYN (#5) and kernel: Packet log: eth1-o DENY eth1 PROTO=6 201.0.0.1:113 200.0.0.1:1044 L=40 S=0x00 I=888 F=0x0000 T=255 (#2) These are TCP requests on port 113, which is the ident/auth port. It tells the requester which UID/user runs a certain service.
Does anybody know what causes this traffic? This could be daemons which have requested the ident in their respective config or your iplogger, which does this, whenever a TCP/UDP connection comes in. You should check ftpd, httpd and iplogger configuration files first.
The tcp_wrapper does that, too, in both the libwrap implementation as well as the tcpd-implementation. Cleartext: A opens connection to B, and B uses the ident service of A (opens up an ident tcp connection to A) to ask _who_ on host A opened the first connection. A fairly useless protocol as seen from the security standpoint, since a trusts b's super user.
MfG/Regards, Alexander
Thanks,
Roman.
--
- -
| Roman Drahtmüller
participants (3)
-
Alexander Reelsen
-
Roman Drahtmueller
-
Sven Schultheiß