Because the only way I can see for someone to be returned any information from such a scan would be if the ISP's router to our site was compromised, I contacted my ISP Customer Service department. Their representative accessed the router to review the configuration, and then asked me to tracert the most recently recieved IP address. Immediately, all this activity ceased (which had been fairly constant for the last 30 hours), and has not yet resumed. I cannot accept the hypothosis that the NAT was leaking internal IP's. The number of 192.168.x.x. IP addresses logged exceeds the number of machines I have here. They are not in the ranges I use. They were not blocked outbound from the local network into the NAT, by the rule that allows only the valid internal address range to access the Firewall. The ports numbers addressed to on the NAT are outside of the range designated to be used for NAT'ing by the NAT. I also cannot accept the hypothesis that my ISP's router was leaking "other" local traffic onto my Internet segment. The traffic was specifically targeted to my Firewall's external IP address, and the only source port ever logged was 80. The other possibility which is being investigated is that the only other device besides the connection to the ISP's router, and the connection to my NAT, on the Internet segment is a Shive Netmodem/E which supports two dial-in connections. This is largely so that if the Internet is problematic, I can circumvent the Internet to access the Internet segment of my network. This device has no access our network that does not pass through the firewall exactly as traffic from the Internet must. It is conceviable that it was the connection point for the attack, although I have reviewed the log files and it does not appear to have had any connections to it at the time. And assuming it was the the connection point for the attack leaves no explaination for the attack ceasing as it did when it did. Thanks to all who responded!! - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
