Re: Re: debian repository on hit list

To: Brent Elmer <webe3@myrealbox.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: Re: debian repository on hit list
From: Mike Mestnik <cheako911@yahoo.com>
Date: Thu, 4 Mar 2004 21:49:03 -0800 (PST)
Message-id: <[🔎] 20040305054903.42955.qmail@web11908.mail.yahoo.com>
In-reply-to: <[🔎] 1078443936.12386.14.camel@elmer.nodomain.nowhere>

Heh, what we have here is logging of http or ftp data packets.  What dose
the low level(iptables) fierwall show I.E. "iptables -t
{nat,filter,mangle} -L".

Port maches.
ny.com.www > l3.net.35109
in:ppp0 out: port:35109 source:rama.progeny.com

Size also matches.
17:25:33.064532 rama.progeny.com.www >
dialup-171.75.199.82.Dial1.SaintLouis1.Level3.net.35109: P 
59861:59998(137) ack 180 win 65535 (DF) (ttl 54, id 13486, len 177)
time:Mar  4 17:25:33 in:ppp0 out: port:35109 source:rama.progeny.com
dest:171.75.199.82 len:177 
tos:0x00 protocol:tcp service:unknown

And

17:25:35.734325 rama.progeny.com.www >
dialup-171.75.199.82.Dial1.SaintLouis1.Level3.net.35109: P 
69787:70218(431) ack 180 win 65535 (DF) (ttl 54, id 25790, len 471)
time:Mar  4 17:25:35 in:ppp0 out: port:35109 source:rama.progeny.com
dest:171.75.199.82 len:471 
tos:0x00 protocol:tcp service:unknown


--- Brent Elmer <webe3@myrealbox.com> wrote:
> I used tcpdump in the following way:
> $tcpdump -a -vvv -i ppp0 host rama.progeny.com -w tcpdump.out
> 
> then I did this:
> tcpdump -vvv -r tcpdump.out > tcpdump.readable
> 
> I saved the firestarter hits to a file.  The hits did contain
> rama.progeny.com hits.  I don't know much about interpreting what is
> going on but here are the two files.  Does this show anything or do I
> need to do something else?
> 
> Thanks,
> 
> Brent
> 
> 
> On Thu, 2004-03-04 at 16:55, Mike Mestnik wrote:
> > Use tcpdump to find ought more info about what is going on.
> > 
> > --- Brent Elmer <webe3@myrealbox.com> wrote:
> > > I changed my repository from ftp://archive.progeny.com to
> > > http://archive.progeny.com in Synaptic.  I still get a lot of hits
> for
> > > rama.progeny.com in firestarter during Synaptic downloading.  The
> > > downloads stall a lot about the same time that firestarter reports
> the
> > > blocked hits from rama.progeny.com.  Is there something else I can
> do?
> > > 
> > > -- 
> > > Brent Elmer <webe3@myrealbox.com>
> > > 
> > 


__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you?re looking for faster
http://search.yahoo.com

Reply to:

Follow-Ups:
- Re: Re: debian repository on hit list
  - From: Brent Elmer <webe3@myrealbox.com>

References:
- Re: Re: debian repository on hit list
  - From: Brent Elmer <webe3@myrealbox.com>

Prev by Date: Re: debian repository on hit list
Next by Date: Re: Re: debian repository on hit list
Previous by thread: Re: Re: debian repository on hit list
Next by thread: Re: Re: debian repository on hit list
Index(es):
- Date
- Thread