Moonshi Mohsenruddin wrote:

Do an ipchains listing. That should show you _IF_ you might have errors in your rules.

I checked the ipchains with -L, listing all rules. I can't see anything wrong there, and there are no errors. The packet seems to error out when hitting eth1 (outside world NIC), not while going thru the firewall. Addendum to my previous list: I received another bogus packet error a few minutes after sending my original mail, so I analyzed the times between these packets. In the first two series, a second packet was sent 4 minutes after the first, but not the third series. From the first packet of one series to the first packet of the next series resulted in time differences of roughly (h:m) 1:21 2:15 2:31 2:33. (The last packet, after my post, came in at 21:37.) With this, I figured the next packet might come in anywhere from 23:52 to 00:10. It's now 01:06, and nothing. In short, I can't find any particular pattern. I can't relate it to bandwidth use, as today is the first I've seen the packets, but over the weekend I surfed steadily and received none. Damn. I just wondered if they coincided with when I sent emails, so I checked my sent mail times. No correlation at all. Think Alan Cox would get mad if I asked him what they meant? He could probably read that stuff like English.... ;-)

...

-----Original Message----- From: scottm@smtp11.bellglobal.com [mailto:scottm@smtp11.bellglobal.com]On Behalf Of Scott McEachern Sent: Wednesday, August 18, 1999 10:31 AM To: suse-security@suse.com Subject: [suse-security] Oddball log entry...

Hey folks! Two days ago I set up a firewall box (SuSE 6.1, 2.2.10, ipchains, masquerading) connected to my offline intranet. I have another NIC in this box using a DHCP-supplied IP addy from my provider. This second NIC is to a semi=permanent xDSL connection. I have IP_ALWAYS_DEFRAG enabled in the kernel, along with all the masquerading stuff, firewall stuff, etc. I do not run inetd, and all my ports are blocked except those required for HTTP and DHCPClient. I do not run X. Basically, the box is pretty tight. I can only get into the firewall via SSH from my LAN. I do not route any outside service requests into the intranet. There are no accounts on the firewall other than the root account. It is used for nothing more than a firewall/masquerade box. Attached are the relevant entries from my /var/log/messages regarding "bogus packet size." Eth1 is my connection to the net, from which the packets are coming. Eth0 (not listed) is my NIC to my intranet. Has anyone seen this kind of thing before?!? I'm wondering if this is some type of attack on the masquerading defragment bug. Note the receipt times of the packets. Almost all of them are from around 14:20 and 16:33. I've never seen anything like this. Is this an attack or natural phenomenon? I have had the same DHCP assigned public IP address for a couple days now (both xDSL modem and firewall online), so someone port scanning should be able to find me. Also, I found nothing else out of the ordinary in the logs. Just my cron jobs and every 30 minutes the DHCP stuff. Suggestions?!?

-- mailto:scott.mceachern@sympatico.ca

On the side of the software box, in the "System requirements section", it said "Requires Windows 95 or better." So I installed Linux.

-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i

iQA/AwUBN7nFUGefe0TVuy5lEQImmQCeLGdUAIl10WuMHM35+c6Lqk9sXCUAn0NP 3r71a/UjzCGReWkx6c1s3lKR =QkC2 -----END PGP SIGNATURE-----

-- mailto:scott.mceachern@sympatico.ca On the side of the software box, in the "System requirements section", it said "Requires Windows 95 or better." So I installed Linux.