Re: logging with firehol

To: Debian-firewall <debian-firewall@lists.debian.org>
Subject: Re: logging with firehol
From: Christian Schuerer <csw@xray.at>
Date: Fri, 28 May 2004 18:58:53 +0200
Message-id: <[🔎] 200405281858.53751.csw@xray.at>
In-reply-to: <[🔎] 20040528155923.GC2693@resivo.mejo.net>
References: <[🔎] 20040528155923.GC2693@resivo.mejo.net>

On Friday 28 May 2004 17:59, Jonas Meurer wrote:
> with a running and working firehol firewall, I still
> get these messages in syslog:
>
> May 28 17:51:06 diana50 kernel: IN-interface1:IN=eth0 OUT=
> MAC=00:50:fc:e4:e4:d4:00:90:69:cd:d4:1f:08:00 SRC=62.99.78.133
> DST=62.75.129.11 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=46176 DF PROTO=TCP
> SPT=3372 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 May 28 17:51:07 diana50
> kernel: IN-interface1:IN=eth0 OUT=
> MAC=00:50:fc:e4:e4:d4:00:90:69:cd:d4:1f:08:00 SRC=213.10.237.114
> DST=62.75.129.11 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=22801 DF PROTO=TCP
> SPT=3934 DPT=5554 WINDOW=16384 RES=0x00 SYN URGP=0 May 28 17:51:08 diana50
> kernel: IN-interface1:IN=eth0 OUT=
> MAC=00:50:fc:e4:e4:d4:00:90:69:cd:d4:1f:08:00 SRC=213.10.237.114
> DST=62.75.129.11 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=23315 DF PROTO=TCP
> SPT=4192 DPT=9898 WINDOW=16384 RES=0x00 SYN URGP=29184
>
> in my eyes this looks like some tiny people (62.99.78.133
> and 213.10.237.114) requested something on my server
> diana50 (62.75.129.11) over TCP, but on which port?

You can find the port number they tried for at DPT=nnnn (DPT = Destination 
Port).

In your example it's port 445 in the first, 5554 in the second and 9898 in the 
last sample.

Bye,

   Christian

-- 

   Christian

Reply to:

References:
- logging with firehol
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: Re: logging with firehol
Next by Date: Re: logging with firehol
Previous by thread: Re: how to get firehol messages off my screen
Next by thread: Re: logging with firehol
Index(es):
- Date
- Thread