RE: [suse-security] Strange Log Message
I'm getting an unusual message on the console which says.....
Packet log: output DENY ippp0 PROTO=17 xxx.xxx.xxx.xxx: 61417 194.247.47.47 L=78 S=0x00 I=36552 F=0x4000 T=63 (#5)
Are you sure that's all there is? I'm missing the destination port number. 61417 is the source port. The destination port could tell us what the packet was supposed to achieve.
Both the 61417 and the 36552 numbers rise all of the time to the next one and then drop back down to another one. Also getting ........
The rise in those numbers is their expected behaviour, since the source port is allocated by the IP masquerading code and the IP ID, used to distinguish IP packets from one another, seems to change in the same fashion in the Linux TCP/IP stack.
IP_MASQ: lp_fw_masquerade(): change masq.addr from xxx.xxx.xxx.xx to xxx..xxx.xxxx.xx. Both these addresses are on this machine. One of them is eth0 and the other is the address of the machine.
Could be the machine is running out of source ports to use or the masquerading table per source address is full. I don't know if the latter is real, though, i.e. if there is a separate table per source address.
Seen this on every SuSE 7.1 machine that I've installed. Anyone know what to do about it ?
Well, why do you have ipchains rules configured to block that traffic and what is generating it, those are the questions to be answered. Cheers, Tobias
Tobias
Are you sure that's all there is? I'm missing the destination port number. 61417 is the source port. The destination port could tell us what the packet was supposed to achieve.
Yes .... that's all I can see.
The rise in those numbers is their expected behaviour, since the source port is allocated by the IP masquerading code and the IP ID, used to distinguish IP packets from one another, seems to change in the same fashion in the Linux TCP/IP stack.
Yes
Well, why do you have ipchains rules configured to block that traffic
Just to block the high ports.
and what is generating it, those are the questions to be answered.
Yes, that's the part that I'm trying to understand :) I've disabled most services and used harden_suse to kill off the inetd daemon and most other things. Thanks -- Richard
Just to block the high ports. Ah! Then those may be dns queries outgoing that you're blocking. The destination port would reallt be nice to have.
and what is generating it, those are the questions to be answered.
Yes, that's the part that I'm trying to understand :) I've disabled most services and used harden_suse to kill off the inetd daemon and most other things.
Thanks
-- Richard
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi
Ah! Then those may be dns queries outgoing that you're blocking. The destination port would really be nice to have.
Well, these log messages are appearing on the screen after the machine has been disconnected from the net. It's temporarily connected to the net and the ISP with and ISDN connection. The destination port is port 53 at 194.247.47.47 which is the ISP.. The latest one says .......... output DENY ippp0 PROTO=17 xxx.xxx.xxx.xxx:61555 194.247.47.47:53 L=61 S=0x00 I=4974 F=0x4000 T=63 (#5) The source of the data packet would seem to be the local machine. So far it started at port 36552 earlier on and now it's at port 61555 and still going up. Just can't understand where it's coming from on the local machine ? Thanks -- Richard
Hi Richard, On 2001.07.18 17:56:28 +0100 Richard Ibbotson wrote:
The latest one says ..........
output DENY ippp0 PROTO=17 xxx.xxx.xxx.xxx:61555 194.247.47.47:53 L=61 S=0x00 I=4974 F=0x4000 T=63 (#5)
This means that your firewall (rule 5) has blocked a TCP (proto 17) packet, which would have gone out over ippp0 from you (xxx.xxx.xxx.xxx) to your ISP's nameserver. The incrementing source port number is nothing to worry about in itself, that is normal Linux behaviour.
The source of the data packet would seem to be the local machine. So far it started at port 36552 earlier on and now it's at port 61555 and still going up.
Just can't understand where it's coming from on the local machine ?
You will have some process(es) running, which need to do name queries, (eg sendmail, samba, etc etc...). In /etc/resolv.conf you have defined your ISP's server, so all queries go to it. The firewall rule (sensibly) stops the ISDN link being brought up automatically - imagine how much cost you would have if each of those packets had dialed your ISP... Once you find which daemons are causing the packets, and if you find you *need* them, then you will have to live with it. You could add a firewall rule to block these packets and not log them, or try using the /etc/ppp/ip-up script to rewrite resolve.conf as the isdn link comes up and down. (or run bind as a local caching-nameserver - see DNS-howto for info) I had this problem a while ago, and fudged around it untill I decide the best way to fix it (and loads of other issues! ) was a DSL link :) hehehe! HTH Maf.
Thanks
-- Richard
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This means that your firewall (rule 5) has blocked a TCP (proto 17) packet, which would have gone out over ippp0 from you (xxx.xxx.xxx.xxx) to your ISP's nameserver. Just to test this, set query-source port 53; in your /etc/named.conf and you will notice that the source port will not be 53.
Noah.
participants (4)
-
maf king -
Reckhard, Tobias -
Richard Ibbotson -
semat