What is it that is hitting my Firewall ... lots?
Hi All,
I'm not sure how to decipher firewall logs yet, hoped you could help.
I've got a basic firewall that is allowing in remote ssh, and local
(intranet) http requests only.
Something from the router address is hitting it constantly - last time I
saw something like this (in my v. short history administering linux
boxes) it was spyware on a PC, but this is a router. Anyway, I wondered
if someone could shed light on what it might be. Here's an example from
the logs:
Apr 19 15:00:51 database kernel: block: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0f:66:8c:77:75:08:00 SRC=192.168.0.254
DST=192.168.0.255 LEN=135 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP
SPT=17603 DPT=162 LEN=115
To give you an idea of frequency,this line (almost exactly as is,
including time, but the len value slightly different) is repeated in the
logs dozens of times per second.
Happy to post the firewall script if that would help.
Is this normal for a router (which is at 192.168.0.254) to do this?
Also, the reason I've been checking the logs is to work out why
local/intranet users haven't been able to access the box via http (port
80, TCP) - they are getting a page unavailable message, but the firewall
was letting them in a couple of weeks ago, and it hasn't been changed at
all. Anyway, this might be a red herring, but am curious anyhow.
Cheers,
David
--
David Powell _
Information Systems Developer ASCII ribbon campaign ( )
Moondrake Trust against HTML email X
e: moondrake at optusnet dot com dot au / \
Reply to: