Re: firewall log message question

To: will trillich <will@serensoft.com>
Cc: debian-user@lists.debian.org
Subject: Re: firewall log message question
From: deb-user@LuftHans.com
Date: Wed, 30 May 2001 01:30:54 -0700 (MST)
Message-id: <[🔎] Pine.LNX.4.21.0105300121260.4058-100000@spliff.LuftHans.com>
In-reply-to: <[🔎] 20010529193747.B32101@serensoft.com>

Am 29. May, 2001 schwäzte will trillich so:

> when i was out of town last week, and nobody was at the house,
> i get this log message from logcheck reflecting some firewall
> block--
> 
> 	To: root@serensoft.com
> 	Subject: server 05/23/01:13.02 system check
> 	From: root <root@serensoft.com>
> 	Date: Wed, 23 May 2001 13:02:02 -0500
> 
> 	Security Violations
> 	=-=-=-=-=-=-=-=-=-=
> 	May 23 12:51:01 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.1.62:3 208.33.90.85:13 L=56 S=0x00 I=30114 F=0x0000 T=248 (#5)
> 	May 23 12:51:05 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.1.62:3 208.33.90.85:13 L=56 S=0x00 I=30125 F=0x0000 T=248 (#5)
> 	May 23 12:51:11 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.1.62:3 208.33.90.85:13 L=56 S=0x00 I=30140 F=0x0000 T=248 (#5)
> 	May 23 12:51:23 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.1.62:3 208.33.90.85:13 L=56 S=0x00 I=30167 F=0x0000 T=248 (#5)
> 
> 192.168.1.* is my local (intra) net, and 208.33.90.85 is my
> public ip number. i don't have any 192.168.1.62 set up, (tho i do
> have .1, .2, .100, .102, .200) and i can't see why 208.33.90.85
> would be looking for one. port 13, according to /etc/services, is
> normally 'daytime' and i don't know what port 3 would normally
> be.

It's ICMP, not TCP or UDP.

bash-2.05$ head -11 /etc/protocols 
# /etc/protocols:
# $Id: protocols,v 1.1 1995/02/24 01:09:41 imurdock Exp $
#
# Internet (IP) protocols
#
#       from: @(#)protocols     5.1 (Berkeley) 4/17/89
#
# Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).

ip      0       IP              # internet protocol, pseudo protocol number
icmp    1       ICMP            # internet control message protocol
bash-2.05$ 

Don't know ICMP well enough to tell you the significance of 3 and 13.

Is eth1 your internal or your external interface, e.g. 192.168.1.0/24 or
208.33.90.85? If it's your external the packet was coming from upstream,
e.g. your ISP connection.

If it's your internal interface then it appears that something was making
requests from 192.168.1.62 from your internal network. Do you use dhcp? Do
you have any machines with multiple IP addies?

Did you ping and traceroute to 192.168.1.62 to make sure it's not out there?

ciao,

der.hans
-- 
# der.hans@LuftHans.com home.pages.de/~lufthans/ www.DevelopOnline.com
#  C'est la Net - der.hans

Reply to:

Follow-Ups:
- Re: firewall log message question
  - From: will trillich <will@serensoft.com>

References:
- firewall log message question
  - From: will trillich <will@serensoft.com>

Prev by Date: Re: lwresd?
Next by Date: [OT?] LaTeX fonts in X?
Previous by thread: firewall log message question
Next by thread: Re: firewall log message question
Index(es):
- Date
- Thread