Ola,
Generally, there should be absolutely no traffic coming from port 0 of any
machine. Any traffic from port 0 should be concidered highly suspicious and
investigated promptly, since it is usually indicative of crafted packets.
If the traffic is coming from your DMZ, you should examine who has root or
sudo privilages on that machine, and asses if they could have installed/ran
some tool that manufactures packets (ippacket, nmap, etc). If you do not
see those around, and/or see that nobody was logged onto your machine when
you saw those packets, it is time to break out that tripwire database, and
check the binaries, because it is possible that it has been "rooted".
If you want to post the trace of this communication to the list, maybe we
could be of more help.
-Igor Gashinsky, GCIA
At 10:48 AM 4/6/00 +0200, Ola Samuelson wrote:
>Hi!
>Sure this has been discussed but ... what is going on when a machine
>from
>the DMZ communicates via port 0 to unknown host.
>Thanks!
>
>//OS
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
