Can someone explain the following firewall trace? I run a Linux box (not in LAN) that is connected to the Internet via PPP. Look at the IP addresses: 195.130.232.21 is not mine! Whose are they? And what kind of address is the 224.0.0.1 (reserved!)? Thank you in advance. Feb 18 16:05:34 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=56123 OP (94040000) PROTO=2 Feb 18 16:06:35 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=58787 OP (94040000) PROTO=2 Feb 18 16:07:35 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=61542 OP (94040000) PROTO=2 Feb 18 16:08:35 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=64584 OP (94040000) PROTO=2 Feb 18 16:09:37 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=1934 OPT (94040000) PROTO=2 Feb 18 16:10:37 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=4839 OPT (94040000) PROTO=2 Feb 18 16:10:50 myhost kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=62.135.1.27 DST=62.11.78.46 LEN=78 TOS=0x00 PREC=0x00 TTL=105 ID=2133 PROTO=UDP SPT=1026 DPT=137 LEN=58 Feb 18 16:11:37 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=7692 OPT (94040000) PROTO=2
In message <200302181715.30022.fmdf@tiscali.it>, adm
Can someone explain the following firewall trace? I run a Linux box (not in LAN) that is connected to the Internet via PPP. Look at the IP addresses: 195.130.232.21 is not mine! Whose are they? And what kind of address is the 224.0.0.1 (reserved!)? Thank you in advance.
Feb 18 16:05:34 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=56123 OP (94040000) PROTO=2 Feb 18 16:06:35 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=58787 OP (94040000) PROTO=2 Feb 18 16:07:35 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=61542 OP (94040000) PROTO=2 Feb 18 16:08:35 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=64584 OP (94040000) PROTO=2 Feb 18 16:09:37 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=1934 OPT (94040000) PROTO=2 Feb 18 16:10:37 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=4839 OPT (94040000) PROTO=2 Feb 18 16:10:50 myhost kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=62.135.1.27 DST=62.11.78.46 LEN=78 TOS=0x00 PREC=0x00 TTL=105 ID=2133 PROTO=UDP SPT=1026 DPT=137 LEN=58 Feb 18 16:11:37 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=7692 OPT (94040000) PROTO=2
Hi. This is the qmail-send program at lists.suse.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
Can someone explain the following firewall trace? I run a Linux box (not in LAN) that is connected to the Internet via PPP. Look at the IP addresses: 195.130.232.21 is not mine! Whose are they? And what kind of address is the 224.0.0.1 (reserved!)? Thank you in advance.
Feb 18 16:05:34 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=56123 OP (94040000) PROTO=2 Feb 18 16:06:35 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=58787 OP (94040000) PROTO=2 Feb 18 16:07:35 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=61542 OP (94040000) PROTO=2 Feb 18 16:08:35 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=64584 OP (94040000) PROTO=2 Feb 18 16:09:37 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=1934 OPT (94040000) PROTO=2 Feb 18 16:10:37 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=4839 OPT (94040000) PROTO=2 Feb 18 16:10:50 myhost kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=62.135.1.27 DST=62.11.78.46 LEN=78 TOS=0x00 PREC=0x00 TTL=105 ID=2133 PROTO=UDP SPT=1026 DPT=137 LEN=58 Feb 18 16:11:37 myhost kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=195.130.232.21 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=7692 OPT (94040000) PROTO=2
<SNIP> Hi, This is my first post to this list and this is my part interpretation since you don't seem to be getting any other replies. If I'm wrong perhaps it will stimulate someone to correct me and I will learn as well. Address 195.130.232.21 derek@gargoyle:~> whois 195.130.232.21 % This is the RIPE Whois server. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 195.130.224.0 - 195.130.238.255 netname: TISCALINET descr: Tiscali SpA descr: PROVIDER country: IT admin-c: FP1849-RIPE admin-c: RC524-RIPE tech-c: TI335-RIPE rev-srv: ns.tiscalinet.it rev-srv: sns.tiscali.it status: ASSIGNED PA mnt-by: AS8612-MNT changed: pau@it.tiscali.com 20011220 changed: pau@it.tiscali.com 20011220 source: RIPE route: 195.130.224.0/19 descr: Tiscali SpA origin: AS8612 mnt-by: AS8612-MNT changed: rcardella@it.tiscali.com 20010816 source: RIPE role: Tiscali IT address: Tiscali S.p.A. address: Via Dolcetta 16 address: 09122 - Cagliari address: Italy phone: +39 070 46011 fax-no: +39 070 4601400 e-mail: netadmin@it.tiscali.com remarks: +------------------------------------------------------+ remarks: | | remarks: | PLEASE CONTACT OUR ABUSE DIVISION (abuse@tiscali.it) | remarks: | FOR ABUSE and-or SPAM COMPLAINTS. | remarks: | | remarks: | Please notice all complaints regarding abuse which | remarks: | are sent to other email addresses WILL BE IGNORED! | remarks: | | remarks: +------------------------------------------------------+ admin-c: RC524-RIPE tech-c: RC524-RIPE tech-c: FB2233-RIPE tech-c: FP1849-RIPE nic-hdl: TI335-RIPE remarks: hostmaster role account notify: netadmin@it.tiscali.com mnt-by: AS8612-MNT changed: rcardella@it.tiscali.com 20010821 changed: rcardella@it.tiscali.com 20020226 changed: rcardella@it.tiscali.com 20020926 changed: pau@it.tiscali.com 20021007 source: RIPE person: Ruben Cardella address: Tiscali SpA address: Viale Trento 39 address: 09123 Cagliari address: Italy remarks: Network Engineer phone: +39 070 46011 fax-no: +39 070 4609328 e-mail: rcardella@it.tiscali.com nic-hdl: RC524-RIPE changed: fboi@it.tiscali.com 20010808 source: RIPE person: Francesco Pau address: Tiscali SpA address: Via Dolcetta 16 address: 09122 Cagliari address: Sardinia - Italy phone: +39 070 46011 fax-no: +39 070 4601400 fax-no: +39 070 4609251 e-mail: pau@it.tiscali.com nic-hdl: FP1849-RIPE changed: pau@tiscali.it 20010116 changed: rcardella@it.tiscali.com 20010821 changed: rcardella@it.tiscali.com 20010829 changed: pau@it.tiscali.com 20011219 source: RIPE Now from the header of your mail I see = Message-Id: <200302181715.30022.fmdf@tiscali.it> Subject: [SLE] Strange firewall logs. and the logs re proto2 are being generated at roughly 1 minute intervals. I reason that your own ISP, Tiscali is pinging or port scanning you for it's own reason. Feb 18 16:10:50 myhost kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=62.135.1.27 DST=62.11.78.46 LEN=78 TOS=0x00 PREC=0x00 TTL=105 ID=2133 PROTO=UDP SPT=1026 DPT=137 LEN=58 This looks like a scan on your net bios - (ports 137 to 139) Now all that is left is a real expert on this list to tell us - 1) what protocol 2 does, if we need to worry about it and if there is anything sinister in the netbios scan, and 2) if it's nothing to worry about, what you need in the firewall setup to allow these/this request/s. 3) explain about reserved ip addresses. Stands by ready with fire extinguisher for when the flames hit the fan ... -- Derek Byram Registered Linux user 264346
In message <7Uf0pZNWVlW+EwGC@byram.org.uk>, Derek Byram
participants (2)
-
adm
-
Derek Byram