On Sat, 8 Dec 2001, Maxim Heijndijk wrote:
> I have this in my firewall log:
>
> Dec 7 21:39:33 deflector kernel: Packet log: input DENY ppp0 PROTO=6
> 10.170.1.154:80 194.134.195.252:61720 L=1500 S=0x00 I=22017 F=0x4000
> T=249 (#8)
>
> From echogent I got the advise to open up a certain port, because
> they seem to be return packets from my ISP.
This is not good advice in this case. The packet looks vaguely like a
return packet from a website (from port 80 to a masqueraded port) but it
is from a private ip number (10.0.0.0/8 A-class private network) and has
the SYN bit set (F=0x4000, though usually this is accompanied by "SYN"
after the "T" value), so it is NOT a RETURN packet and unless there is
something special about your setup (facing a NATed ISP?) then you probably
wouldn't be able to connect to this server if you tried. I think a script
kiddie was trying to poke you to see if he could get a response (informing
him that his packet got through your firewall rules).
I have noticed that timeouts can cause return packets from some websites
to be denied also, so even if the SYN bit is not set and the packet is
from a site you visited intentionally, seeing this packet probably
shouldn't make you think of opening ports... it can occur due to internet
unreliability.
> How do I open up ports in the network.conf ?
Can't say... but I wouldn't recommend it in this case. It looks to me
like someone is prowling around out there.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
