The third was apparently addressed to your network or broadcast address and your router is not configured to block "directed broadcast" packets. The router took the destination IP and MAC addresses and replaced them with ff.ff.ff.ff and ff:ff:ff:ff:ff:ff Dest port 19000 is the default listener for the internal Sendmail host when using TM's VirusWall. On 10 Oct 00, at 16:09, Firewalls-Digest wrote: > Date: Tue, 10 Oct 2000 11:39:05 +0100 > From: Rui Pedro Bernardino <[EMAIL PROTECTED]> > Subject: packets to 255.255.255.255? > > Hi, > I have this weird problem and cannot figure out what might be causing > it. Among the everyday port/ip scans, I recently got a few weird lines > on our fw-1: > drop fw1 >le0 proto tcp src 213.61.112.165 dst fw1 service 19000 > s_port ftp-data len 40 rule 18 > drop fw1 >le0 proto tcp src 213.61.112.165 dst www service 19000 > s_port ftp-data len 40 rule 18 > drop fw1 >le0 proto tcp src 213.61.112.165 dst 255.255.255.255 > service 19000 s_port ftp-data len 40 rule 18 > > Well, the first two are easy (someone is trying to check if I allow > incoming ftp-data through some "non-stateful" packet filter); the third > one I cannot understand. My external router drops source routed ip > packets, so how could this packet get here? There are no other systems > on this VLAN and on previous scans, the src addr was different. > > Thanks George Bakos - Security Engineer Electronic Warfare Associates Information & Infrastructure Technologies 802-338-3213 To request PGP public key, mailto:[EMAIL PROTECTED]?subject=sendpubkey or http://pgpkeys.mit.edu:11371/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
