RE: syslog: Ipchains, what does this mean?

[Ken Claussen]

Thanks to Tobias's earlier post on IPSec I can.
The Input chain on Ethernet0 is denying UDP packets from 24.5.117.188 port
513 to 24.5.117.255 port 513 with a length of 160 bytes the TOS (type of
service) field was 0x00, the IP ID was 10066, the fragment field read
0x0000,the TTL was 64, Rule number 40 caused this log entry. UDP Port 513 is
the Who service, 
who             513/udp    maintains data bases showing who's
#                          logged in to machines on a local 
#                          net and the load average of the
#                          machine
http://www.isi.edu/in-notes/iana/assignments/port-numbers 

The second address is presumably your brodcast address, based on a classful
subnet mask on your external interface. This sounds extremely bad to me
intrinsically, but I am not familiar with Debian. However from a security
perspective I always disable the who service on any "Bastion Host"/Firewall,
since the only person who usually logs on is the Administrator, and then
only for maintainence.
I would definately investigate further, and perhaps bring it up with your
ISP, since it appears to be originating from outside your network. Or you
have some type of service running to "Broadcast" who is logged on, in this
case don't contact your ISP, but disable that service. Perhaps a Debian
specific list might be able to suggest what service is causing this.

Ken Claussen
"The Mind is a terrible thing to waste"

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Rohit Sahasrabudhe
Sent: Wednesday, March 28, 2001 2:17 AM
To: [EMAIL PROTECTED]
Subject: syslog: Ipchains, what does this mean?


Hi,

I am not sure why, but every day, I get a huge syslog
in:  

/var/log/message

which looks something like the following.

I have a 486 machine running Debian with Linux Kernel
2.2.18.  On top of that, I am using pmfirewall to
manage my ipchains.  

My external IP is:  24.5.117.188

And internally, I have a network of:  192.168.x.x

Here is todays log:

--x--
Mar 28 00:02:31 rosahas kernel: Packet log: input DENY
eth0 PROTO=17 24.5.117.188:513 24.5.117.255:513 L=136
S=0x00 I=10066 F=0x0000 T=64 (#40)
.
.
.
Mar 28 02:11:35 rosahas kernel: Packet log: input DENY
eth0 PROTO=17 24.5.117.188:513 24.5.117.255:513 L=160
S=0x00 I=39885 F=0x0000 T=64 (#40)
--x--

The log is for the I in the range of 10066 to 39885,
it adds like over 25-30 lines of the same stuff
incrementing the I= value.

Can someone please explain me what this is?

Thanks,

Rohit.

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]