Hi list!
A stupid question of mine again... I already searched the internet, but didn't find any suitable information. I had the following entry in my firewall-log:
Sep 20 22:32:04 memphis kernel: Packet log: rulchain REJECT eth0 PROTO=6 195.217.171.5:3675 xx.x.x.xx:80 L=44 S=0x10 I=38515 F=0x4000 T=106 SYN (#6) Sep 20 22:32:06 memphis kernel: Packet log: rulchain REJECT eth0 PROTO=6 195.217.171.5:3675 xx.x.x.xx:80 L=44 S=0x10 I=32117 F=0x4000 T=106 SYN (#6)
Since I'm on a Cable-Internet, the second address, i.e. the destination, is an internal address. Am I wrong in suspecting that the possible suspect has come from inside that "internal" network? How else should he have got that IP? Plus, what port is that, he's coming from?
Congratulations, you use the SuSEpersonal-firewall, and you have set REJECT_ALL_INCOMING_CONNECTIONS to "eth0". What you see is a box connecting to your interface eth0, IP xx.x.x.xx, port 80. So this looks like a http request. The port where the connection is coming from is arbitrary - You are seeing two packet logs, both initiated from the same socket (it is the same port). Are you sure that eth0 is the interface you want to protect your machine from?
TIA
Markus
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -