For issues like this, I get off the firewall and go to the routers, one
infront of the firewall and the pone behind it, watch to see which
interfaces the packets arrive on and go out to.
As it is, I'm not sure you have eliminated the inside as the source of the
packets yet.
Thanks,
Ron DuFresne
On Thu, 4 Jan 2001, elvene wrote:
> Jeff, Thanks for the quick response.
>
> My firewall is a NAT, and does have an HTTP proxy on it. But I do not
> use the 192.168.27.X address space anywhere, and I am seeing several
> dozens of different source addresses on these packets - none of which I
> use (all in the 192.168.X.X range). It looks as though someone is
> trying a brute force 192.168.(ALL):80 --> (Firewall):(All ports) scan.
>
> The bogus packets are originating outside of both my internal net, and
> my DMZ. I know this because they do not trip the "drop and log" rule on
> the DMZ or the internal net (although I am confirming I have both of
> these set the way I believe I do, even now!)
>
> A tracert to these bogus IP addresses reports destination unreachable,
> at the next hop after my router (ISP maintained, I have no control over
> the router).
>
> So I don't know what they could be looking for... Or how they expect to
> know when they have or haven't found it. :o(
>
> I am at this point adding a rule outbound internet to block any and all
> to this range specifically.
>
> Guy Skaggs
>
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
