Re: mysterious ipchains deny from 192.168.*.* ??
On Tue, Apr 10, 2001 at 12:52:22PM -0700, Brandon High wrote:
> On Tue, 10 Apr 2001, will trillich wrote:
>
> > here's a logcheck message i got recently, where ipchains is
> > logging certain unwelcome hits (based on what's primarily the
> > default ipmasq filtering rules)--
> >
> > ----- Forwarded message from root <root@serensoft.com> -----
> >
> > Security Violations
> > =-=-=-=-=-=-=-=-=-=
> > Apr 8 17:45:10 server kernel: Packet log: input DENY eth0 PROTO=1 172.149.223.27:10 224.0.0.2:0 L=28 S=0x00 I=11290 F=0x0000 T=128 (#7)
>
> PROTO=1 means that it was an ICMP packet. Someone is trying to ping you.
>
> Look at /usr/include/netinet/ip_icmp.h for an explanation of ICMP types. The
> type is listed after the : on your host address.
>
> Type 0 is ICMP_ECHOREPLY
okay. and that someone is at 172.149.223.27, right? so i can
figure out from that ip which domain they're in:
% whois 172.149.223.27
America Online, Inc. (NETBLK-AOL-172BLK)
12100 Sunrise Valley Drive
Reston, VA 20191
US
Netname: AOL-172BLK
Netblock: 172.128.0.0 - 172.191.255.255
Maintainer: AOL
[snip]
no surprise there.
--
so now here's the BIG mystery --
Apr 8 17:59:48 server kernel: Packet log:
input DENY eth1 PROTO=1 192.168.241.180:4
208.33.90.85:0 L=56 S=0x00 I=12140 F=0x4000 T=240 (#4)
where did THIS packet come from? 192.168.241.180 ? that's an
intranet ip, a localnet / lan address, theoretically from
somewhere inside the building. but all we've got inside here
is 192.168.1.* !!
ideas?
--
americans should never read anything so subversive as what's at
http://www.salon.com/people/col/pagl/2001/03/21/spring/index1.html
will@serensoft.com
http://sourceforge.net/projects/newbiedoc -- we need your brain!
http://www.dontUthink.com/ -- your brain needs us!
Reply to: