Suse 8.0 Vmware 3.1 My SuSEfirewall configuration is progressing. I am on the net ! But am not sure what to make of this Brian Marr Oct 2 21:11:03 Gringo kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=vmnet1 OUT= MAC=00:50:56:c0:00:01:00:50:56:c1:6c:f5:08:00 SRC=192.168.77.128 DST=192.168.77.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=49945 DF PROTO=TCP SPT=1025 DPT=139 WINDOW=8653 RES=0x00 ACK URGP=0
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On October 2, 2002 08:43 am, Brian Marr wrote:
Suse 8.0 Vmware 3.1 My SuSEfirewall configuration is progressing. I am on the net ! But am not sure what to make of this Brian Marr
Oct 2 21:11:03 Gringo kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=vmnet1 OUT= MAC=00:50:56:c0:00:01:00:50:56:c1:6c:f5:08:00 SRC=192.168.77.128 DST=192.168.77.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=49945 DF PROTO=TCP SPT=1025 DPT=139 WINDOW=8653 RES=0x00 ACK URGP=0
IN=vmnet1 # The OS you're running under Vmware generated the packet DPT=139 # That's the destination port, which is Netbios Basically, Windows under Vmware is sending traffic (looking for other Windows boxes) and your SuSEfirewall is configured to reject and log packets on port 139. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9mvyA+FOexA3koIgRAlQbAJ0Zm0J0pearx0wqwdBzwJ2o7hHB4QCdEHxw r5hMys3TdWXNQkoG6joROFk= =WvUR -----END PGP SIGNATURE-----
On Wednesday 02 October 2002 16.02, James Oakley wrote:
On October 2, 2002 08:43 am, Brian Marr wrote:
Suse 8.0 Vmware 3.1 My SuSEfirewall configuration is progressing. I am on the net ! But am not sure what to make of this Brian Marr
Oct 2 21:11:03 Gringo kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=vmnet1 OUT= MAC=00:50:56:c0:00:01:00:50:56:c1:6c:f5:08:00 SRC=192.168.77.128 DST=192.168.77.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=49945 DF PROTO=TCP SPT=1025 DPT=139 WINDOW=8653 RES=0x00 ACK URGP=0
IN=vmnet1 # The OS you're running under Vmware generated the packet DPT=139 # That's the destination port, which is Netbios
Basically, Windows under Vmware is sending traffic (looking for other Windows boxes) and your SuSEfirewall is configured to reject and log packets on port 139.
No, the problem is that it isn't configured to accept packets from the vmnet1 interface on that ip address at all. I think he needs to set up class routing in SuSEfirewall2 //Anders
I wonder where VMware should appear in the SuSEfirewall script ? I do not want it to be accessible to the internet, but accessible to my LAN (at least the Host). Currently SuSEfirewall is dropping VMware packets when I turn it on. Brian Marr Ifconfig Gringo:/home/magpie # ifconfig eth0 Link encap:Ethernet HWaddr 00:02:44:19:8B:50 inet addr:192.xxx.xx.x Bcast:192.168.50.255 Mask:255.255.255.0 inet6 addr: fe80::202:44ff:fe19:8b50/10 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2603644 errors:0 dropped:0 overruns:0 frame:0 TX packets:1824661 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:280080492 (267.1 Mb) TX bytes:565419632 (539.2 Mb) Interrupt:9 Base address:0x1000 ippp0 Link encap:Point-to-Point Protocol inet addr:150.xxx.x.xxx P-t-P:203.16.215.220 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP DYNAMIC MTU:1500 Metric:1 RX packets:636883 errors:0 dropped:0 overruns:0 frame:0 TX packets:615824 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:30 RX bytes:437491432 (417.2 Mb) TX bytes:51316064 (48.9 Mb) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:768791 errors:0 dropped:0 overruns:0 frame:0 TX packets:768791 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:72052846 (68.7 Mb) TX bytes:72052846 (68.7 Mb) vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01 inet addr:192.168.77.1 Bcast:192.168.77.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fec0:1/10 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:283923 errors:0 dropped:0 overruns:0 frame:0 TX packets:349334 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) vmnet8 Link encap:Ethernet HWaddr 00:50:56:C0:00:08 inet addr:192.168.120.1 Bcast:192.168.120.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fec0:8/10 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:6693 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Gringo:/home/magpie # On Wednesday 02 October 2002 23:32, James Oakley wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On October 2, 2002 08:43 am, Brian Marr wrote:
Suse 8.0 Vmware 3.1 My SuSEfirewall configuration is progressing. I am on the net ! But am not sure what to make of this Brian Marr
Oct 2 21:11:03 Gringo kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=vmnet1 OUT= MAC=00:50:56:c0:00:01:00:50:56:c1:6c:f5:08:00 SRC=192.168.77.128 DST=192.168.77.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=49945 DF PROTO=TCP SPT=1025 DPT=139 WINDOW=8653 RES=0x00 ACK URGP=0
IN=vmnet1 # The OS you're running under Vmware generated the packet DPT=139 # That's the destination port, which is Netbios
Basically, Windows under Vmware is sending traffic (looking for other Windows boxes) and your SuSEfirewall is configured to reject and log packets on port 139.
- -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE9mvyA+FOexA3koIgRAlQbAJ0Zm0J0pearx0wqwdBzwJ2o7hHB4QCdEHxw r5hMys3TdWXNQkoG6joROFk= =WvUR -----END PGP SIGNATURE-----
On Wednesday 02 October 2002 23.10, Brian Marr wrote:
I wonder where VMware should appear in the SuSEfirewall script ?
FW_DEV_INT="vmnet1 vmnet8" and either allow class routing or set up forwarding.
I do not want it to be accessible to the internet, but accessible to my LAN (at least the Host). Currently SuSEfirewall is dropping VMware packets when I turn it on. Brian Marr Ifconfig Gringo:/home/magpie # ifconfig eth0 Link encap:Ethernet HWaddr 00:02:44:19:8B:50 inet addr:192.xxx.xx.x Bcast:192.168.50.255 Mask:255.255.255.0
There's no point in crossing out 192.168-addresses. If anyone outside your lan can reach them it's a miracle (or a tremendous blunder on the part of your ISP). Those are private, non-routable addresses. //Anders
More progress ! Thanks for that suggestion. I found a line about class routing (not sure what this is) at the bottom of the SuSEfirewall script. Once enabled VMware seems to be working.................in conjunction with FW_DEV_INT="vmnet1 vmnet8" I have got a permanent ip address from my Internet Service Provider. I wonder if this should go into the script somewhere. For now ippp0 seems to be working ok i.e. accessing the net. Brian Marr On Thursday 03 October 2002 06:55, Anders Johansson wrote:
On Wednesday 02 October 2002 23.10, Brian Marr wrote:
I wonder where VMware should appear in the SuSEfirewall script ?
FW_DEV_INT="vmnet1 vmnet8"
and either allow class routing or set up forwarding.
I do not want it to be accessible to the internet, but accessible to my LAN (at least the Host). Currently SuSEfirewall is dropping VMware packets when I turn it on. Brian Marr Ifconfig Gringo:/home/magpie # ifconfig eth0 Link encap:Ethernet HWaddr 00:02:44:19:8B:50 inet addr:192.xxx.xx.x Bcast:192.168.50.255 Mask:255.255.255.0
There's no point in crossing out 192.168-addresses. If anyone outside your lan can reach them it's a miracle (or a tremendous blunder on the part of your ISP). Those are private, non-routable addresses.
//Anders
Repying to my own mail In KMail I received an email with a link. I followed this to download a pdf file. SuSEfirewall responded as below. I could not get the pdf. Any suggestions ? Brian Marr Oct 3 07:34:12 Gringo kernel: SuSE-FW-DROP IN=ippp0 OUT= MAC= SRC=80.59.176.41 DST=150.101.6.219 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=33501 DF PROTO=TCP SPT=54286 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402 On Thursday 03 October 2002 07:28, Brian Marr wrote:
More progress ! Thanks for that suggestion. I found a line about class routing (not sure what this is) at the bottom of the SuSEfirewall script. Once enabled VMware seems to be working.................in conjunction with FW_DEV_INT="vmnet1 vmnet8"
I have got a permanent ip address from my Internet Service Provider. I wonder if this should go into the script somewhere. For now ippp0 seems to be working ok i.e. accessing the net. Brian Marr
On Thursday 03 October 2002 06:55, Anders Johansson wrote:
On Wednesday 02 October 2002 23.10, Brian Marr wrote:
I wonder where VMware should appear in the SuSEfirewall script ?
FW_DEV_INT="vmnet1 vmnet8"
and either allow class routing or set up forwarding.
I do not want it to be accessible to the internet, but accessible to my LAN (at least the Host). Currently SuSEfirewall is dropping VMware packets when I turn it on. Brian Marr Ifconfig Gringo:/home/magpie # ifconfig eth0 Link encap:Ethernet HWaddr 00:02:44:19:8B:50 inet addr:192.xxx.xx.x Bcast:192.168.50.255 Mask:255.255.255.0
There's no point in crossing out 192.168-addresses. If anyone outside your lan can reach them it's a miracle (or a tremendous blunder on the part of your ISP). Those are private, non-routable addresses.
//Anders
I'll break it down for you
Oct 3 07:34:12 Gringo kernel: SuSE-FW-DROP Header
IN=ippp0 Connection from ippp0 ( I assume this is your public connection)
SRC=80.59.176.41 DST=150.101.6.219 Self explanitory IP 80.59.176.41 is connecting to 150.101.6.219
LEN=48 TOS=0x00 PREC=0x00
TTL=103 ID=33501 DF PROTO=TCP SPT=54286 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 OPT
It's trying to establish a connection to port 139. typically these are signs Of nimda making its way around the net. See the link below for more info And a really nice log analysis tool. http://logi.cc/linux/NetfilterLogAnalyzer.php3#1
Cool ! I like this : ) Brian Marr
And a really nice log analysis tool.
Answering my own email - SuSEfirewall test is also reporting Oct 3 06:42:27 Gringo smbd[10641]: [2002/10/03 06:42:27, 0] smbd/service.c:make_connection(249) Oct 3 06:42:27 Gringo smbd[10641]: localhost (148.240.98.224) couldn't find service c Oct 3 06:42:29 Gringo kernel: SuSE-FW-DROP-DEFAULT IN=ippp0 OUT= MAC= SRC=148.240.98.224 DST=150.xxx.x. xxx LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=11567 DF PROTO=TCP SPT=1434 DPT=139 WINDOW=8756 RES=0x00 ACK UR GP=0 I don't recognize 148.240.98.244 at all Brian Marr On Thursday 03 October 2002 06:40, Brian Marr wrote:
I wonder where VMware should appear in the SuSEfirewall script ? I do not want it to be accessible to the internet, but accessible to my LAN (at least the Host). Currently SuSEfirewall is dropping VMware packets when I turn it on. Brian Marr Ifconfig Gringo:/home/magpie # ifconfig eth0 Link encap:Ethernet HWaddr 00:02:44:19:8B:50 inet addr:192.xxx.xx.x Bcast:192.xxx.xx.xxx Mask:255.255.255.0 inet6 addr: fe80::202:44ff:fe19:8b50/10 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2603644 errors:0 dropped:0 overruns:0 frame:0 TX packets:1824661 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:280080492 (267.1 Mb) TX bytes:565419632 (539.2 Mb) Interrupt:9 Base address:0x1000
ippp0 Link encap:Point-to-Point Protocol inet addr:150.xxx.x.xxx P-t-P:203.16.215.220 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP DYNAMIC MTU:1500 Metric:1 RX packets:636883 errors:0 dropped:0 overruns:0 frame:0 TX packets:615824 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:30 RX bytes:437491432 (417.2 Mb) TX bytes:51316064 (48.9 Mb)
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:768791 errors:0 dropped:0 overruns:0 frame:0 TX packets:768791 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:72052846 (68.7 Mb) TX bytes:72052846 (68.7 Mb)
vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01 inet addr:192.168.77.1 Bcast:192.168.77.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fec0:1/10 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:283923 errors:0 dropped:0 overruns:0 frame:0 TX packets:349334 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
vmnet8 Link encap:Ethernet HWaddr 00:50:56:C0:00:08 inet addr:192.168.120.1 Bcast:192.168.120.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fec0:8/10 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:6693 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Gringo:/home/magpie #
On Wednesday 02 October 2002 23:32, James Oakley wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On October 2, 2002 08:43 am, Brian Marr wrote:
Suse 8.0 Vmware 3.1 My SuSEfirewall configuration is progressing. I am on the net ! But am not sure what to make of this Brian Marr
Oct 2 21:11:03 Gringo kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=vmnet1 OUT= MAC=00:50:56:c0:00:01:00:50:56:c1:6c:f5:08:00 SRC=192.168.77.128 DST=192.168.77.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=49945 DF PROTO=TCP SPT=1025 DPT=139 WINDOW=8653 RES=0x00 ACK URGP=0
IN=vmnet1 # The OS you're running under Vmware generated the packet DPT=139 # That's the destination port, which is Netbios
Basically, Windows under Vmware is sending traffic (looking for other Windows boxes) and your SuSEfirewall is configured to reject and log packets on port 139.
- -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE9mvyA+FOexA3koIgRAlQbAJ0Zm0J0pearx0wqwdBzwJ2o7hHB4QCdEHxw r5hMys3TdWXNQkoG6joROFk= =WvUR -----END PGP SIGNATURE-----
participants (4)
-
Anders Johansson -
Brian Marr -
James Oakley -
Rowan Reid