Well, actually, now that I really look at it, I bet 194.122.33.243 is your firewall,
based on the lo in the message, showing this packet is being seen on the loopback
address. Perhaps more of a misconfiguration on the firewall somehow than an attack.
-Michele
Michele Jordan wrote:
> I would read those messages to say that you are receiving packets with an inside
>address (194.122.33.243) on the outside interface. So they are being denied because
>the address is seen on the wrong interface (bad-if). This is a standard attack,
>spoofing the inside address to perhaps get past filters.
>
> -Michele
>
> "David D.W. Downey" wrote:
>
> > On Fri, 15 Dec 2000 [EMAIL PROTECTED] wrote:
> >
> > >
> > > Hello,
> > >
> > > since 3 days now I'm getting the following entries in my logfile:
> > >
> > > Dec 15 12:30:15 firewall kernel: Packet log: bad-if DENY lo PROTO=1
> > > 194.122.33.243:3 194.122.33.243:1 L=92 S=0xC0 I=4595 F=0x0000 T=255 (#1)
> >
> > If you look through the IPCHAINS-HOWTO you'll find some good info for you.
> >
> > Fromt he logs you can see that your first rule inthe input chains (the #!
> > text at the end of the line) is causing your system to deny the inbound
> > packet.
> >
> > 194.122.33.243 connecting from port 3 sent a packet to port 1 on your
> > loopback interface (the lo)
> >
> > Port 1 is the TCP Multiplexor port (tcpmux) as seen from the /etc/services
> > file
> >
> > tcpmux 1/tcp # TCP port service multiplexer
> >
> > Port 3 is the system's tcp compression port
> >
> > It's service name is called compressnet
> >
> > What exactly that is I can only guess. I **THINK** it's used when you send
> > comrpessed packets accross a system eitehr during something like when you
> > use some ftp sites ability to send you a compressed tarball of the ftp
> > site itself. **BEAR IN MIND, I COULD BE WRONG!**
> >
> > To find out what particular ports are you can also hit
> >
> > http://www.stengel.net/tcpports.htm
> > OR
> > http://users.dhp.com/~whisper/mason/nmap-services (I like this one)
> >
> > Now, as to the WHY of your question, that is something I can not answer.
> >
> > --
> >
> > David D.W. Downey
> > RHCE
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
