Re: What is it that is hitting my Firewall ... lots?

To: debian-firewall@lists.debian.org
Subject: Re: What is it that is hitting my Firewall ... lots?
From: "Hans Spaans" <cj.spaans@nexit.nl>
Date: Tue, 19 Apr 2005 13:55:10 +0200 (CEST)
Message-id: <[🔎] 2995.132.229.57.229.1113911710.squirrel@nullrouted.xs4all.nl>
In-reply-to: <[🔎] 4264CB45.3090509@optusnet.com.au>
References: <[🔎] 4264CB45.3090509@optusnet.com.au>

On Tue, April 19, 2005 11:11, David Powell said:
> Hi All,
>
> I'm not sure how to decipher firewall logs yet, hoped you could help.
> I've got a basic firewall that is allowing in remote ssh, and local
> (intranet) http requests only.
>
> Something from the router address is hitting it constantly - last time I
> saw something like this (in my v. short history administering linux
> boxes) it was spyware on a PC, but this is a router.  Anyway, I wondered
> if someone could shed light on what it might be.  Here's an example from
> the logs:
>
> Apr 19 15:00:51 database kernel: block: IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:0f:66:8c:77:75:08:00 SRC=192.168.0.254
> DST=192.168.0.255 LEN=135 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP
> SPT=17603 DPT=162 LEN=115

Your router is sending SNMP-traps to (I assume) your broadcast address.

> To give you an idea of frequency,this line (almost exactly as is,
> including time, but the len value slightly different) is repeated in the
> logs dozens of times per second.

The length of a SNMP-trap is somewhat limited to the size of the
UDP-packet. SNMP-traps can also use TCP, but you won't see that unless you
sniffer between HP-Openview or Tivoli Netview machines for example. And
the frequency, that depends how you have configured your router assuming
it is your router sending these messages.

> Happy to post the firewall script if that would help.
>
> Is this normal for a router (which is at 192.168.0.254) to do this?

It depends on what you have configured, but most admins use these features
to monitor there machines.

> Also, the reason I've been checking the logs is to work out why
> local/intranet users haven't been able to access the box via http (port
> 80, TCP) - they are getting a page unavailable message, but the firewall
> was letting them in a couple of weeks ago, and it hasn't been changed at
> all.  Anyway, this might be a red herring, but am curious anyhow.

Without any knowlegde from your setup, the best advice may be. Follow the
path between user and webserver back and forward, top to bottom. So is the
webserver running, is the webserver responding to the right answers, point
the dns-entry to the right address, do you see the requests for the
webserver on the network interface of the webserver and do they go back,
does your firewall processes the packets. Using tcpdump, telnet to port 80
and adding log entries to your acl's on your webserver and firewall may
come in handy.

Hans

Reply to:

References:
- What is it that is hitting my Firewall ... lots?
  - From: David Powell <moondrake@optusnet.com.au>

Prev by Date: Re: What is it that is hitting my Firewall ... lots?
Next by Date: several problem with SNAT and transproxy
Previous by thread: Re: What is it that is hitting my Firewall ... lots?
Next by thread: several problem with SNAT and transproxy
Index(es):
- Date
- Thread