Re: strange Shorewall entry

To: debian-user@lists.debian.org
Subject: Re: strange Shorewall entry
From: "Chris Howie" <cdhowie@gmail.com>
Date: Fri, 4 Jan 2008 10:29:38 -0500
Message-id: <[🔎] 3d2f29dc0801040729j5160e931gd742f9e705bbf5d7@mail.gmail.com>
In-reply-to: <[🔎] 20080104151639.GA6321@titan.hooton>
References: <[🔎] 20080104151639.GA6321@titan.hooton>

On Jan 4, 2008 10:16 AM, Douglas A. Tutty <dtutty@porchlight.ca> wrote:

I found this in my log today:

Jan 3 21:58:05 titan kernel: Shorewall:fw2net:REJECT:
IN= OUT=ppp0 SRC="" href="http://209.29.44.23" target="_blank">209.29.44.23 DST= 16.100.185.144
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27582 DF
PROTO=TCP SPT=38111 DPT=8030 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 3 21:58:05 titan kernel: Shorewall:fw2net:REJECT:
IN= OUT=ppp0 SRC= "" href="http://209.29.44.23" target="_blank">209.29.44.23 DST=16.100.184.142
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27569 DF
PROTO=TCP SPT=47263 DPT=8030 WINDOW=5840 RES=0x00 SYN URGP=0

I have shorewall reject anything going out via a port I haven't opened.
Neither source nor destination ports are in /etc/services and I haven't
seen these before.

My concern is that they come from my box (fw) and attempt to go out to
the net. This implies that something on my box is corrupted. Any
ideas? At the time of this entry, my box was running Konqueror (via ssh
from the other box) and was downloading information on HP DDS tapes from
the HP website. It also had open tabs to wikipedia and perhaps a google
search results page.

-----8<-----
chris@layla:~$ dig -x 16.100.185.144

; <<>> DiG 9.3.4 <<>> -x 16.100.185.144
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22933
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 3

;; QUESTION SECTION:
;144.185.100.16.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
144.185.100.16.in-addr.arpa. 14400 IN   PTR     internal-host.americas.hpqcorp.net.

;; AUTHORITY SECTION:
185.100.16.in-addr.arpa. 14400 IN      NS      ns4.hp.com.
185.100.16.in-addr.arpa . 14400 IN      NS      ns3.hp.com.
185.100.16.in-addr.arpa. 14400 IN      NS      ns1.hp.com.
185.100.16.in-addr.arpa. 14400 IN      NS      ns2.hp.com.
185.100.16.in-addr.arpa. 14400 IN      NS      ns6.hp.com.
185.100.16.in-addr.arpa. 14400 IN      NS      ns5.hp.com.

;; ADDITIONAL SECTION:
ns4.hp.com.             4974    IN      A       15.203.224.14
ns2.hp.com.             4973    IN      A       15.219.160.12
ns6.hp.com.             4973    IN      A       15.195.208.12

;; Query time: 154 msec
;; SERVER: 192.168.1.254#53( 192.168.1.254)
;; WHEN: Fri Jan 4 10:27:08 2008
;; MSG SIZE rcvd: 255
-----8<-----

Maybe their download server runs on an alternate port? (Though I cannot seem to telnet to this server on 8030 or 80.)

--
Chris Howie
http://www.chrishowie.com
http://en.wikipedia.org/wiki/User:Crazycomputers

Reply to:

Follow-Ups:
- Re: strange Shorewall entry
  - From: "Douglas A. Tutty" <dtutty@porchlight.ca>

References:
- strange Shorewall entry
  - From: "Douglas A. Tutty" <dtutty@porchlight.ca>

Prev by Date: Re: Anyone run nvidia driver + latest xorg 7.3?
Next by Date: Re: Anyone run nvidia driver + latest xorg 7.3?
Previous by thread: strange Shorewall entry
Next by thread: Re: strange Shorewall entry
Index(es):
- Date
- Thread