The 03.10.23 at 17:48, Jon Clausen wrote:
(had better) know what stuff *I'm* running, but I'd like to know what this junk in my firewall logs *might* do.
You might install 'snort' (it is on the distro). After I had it working, I have a new log '/var/log/snort/alert'. For example, for those martian packets, I get: [**] [1:528:3] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 10/23-23:05:31.752040 127.0.0.1:80 -> 212.166.91.160:1116 TCP TTL:127 TOS:0x0 ID:62963 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x28FB0001 Win: 0x0 TcpLen: 20 [Xref => url rr.sans.org/firewall/egress.php] But the info in that url is incorrect in this case: it points to a problem of packets with spoofed return address going out of the system (egress). Those ET are coming from outside. -- Cheers, Carlos Robinson