Re: [Leaf-user] Confusing packet in firewall logs

Tue, 15 Jan 2002 11:51:39 -0800 

Julian:

        Heya. I'm going to go with what fwlog.pl is telling
you on this one. :) The reply does indeed look to be from the
"NAT router" you had previously at 192.168.254.254. There's
no SYN flag set, so it's not a Code-Red packet, and it's
coming at you at a very high port number (61000+) which is
where LEAF boxes do their IP-masquerading.

        So...somewhere external to your LAN, a packet from
192.168.254.254 is finding its way to you. Perhaps...when you
changed your ADSL service, your ISP gave your old router to
someone else who is using it misconfigured?

        As to why your firewall is logging these at all...the
stock ruleset on Dachstein logs anything that comes from a
source IP of 192.168.x.y. Unless you changed that as part of
your new setup, it's still in there.

        Hope this helps!

-Scott


> From: Julian Church <[EMAIL PROTECTED]>
> Subject: [Leaf-user] Confusing packet in firewall logs
>
> I know "What's this in my logs" is a common query, but I really am confused
> this time.
> I'm getting a few of these in /var/log/messages per minute.
>
> Jan 15 10:40:14 firewall kernel: Packet log: input DENY eth0 PROTO=6
> 192.168.254
> .254:80 217.149.96.2:61797 L=44 S=0x00 I=23250 F=0x0000 T=60 (#42)
> Jan 15 10:40:29 firewall kernel: Packet log: input DENY eth0 PROTO=6
> 192.168.254
> .254:80 217.149.96.2:61795 L=44 S=0x00 I=23251 F=0x0000 T=60 (#42)
>
> I'm confused because eth0 is my external interface.  217.149.96.2 is the
> ext IP of the firewall. 192.168.254.254 doesn't appear anywhere on the LAN.
>
> The log analyser at http://www.echogent.com/cgi-bin/fwlog.pl tells me it's
> a return packet from a website someone on my network is trying to view, but
> given the 192.168.x.x source address I'm not sure that's correct.
>
> One more thing that may be significant (or just simple coincidence), I had
> our ADSL service changed from NAT to no-NAT in December, and the NAT
> router's internal address was 192.168.254.254.  I changed over from
> Eigerstein to Dachstein at the same time though (effectively starting from
> scratch), so I don't think it's possible I've got some old setting in the
> firewall still hidden somewhere.
>
> Does anyone have any ideas?
>
> thanks
>
> Julian
>
> --
> [EMAIL PROTECTED]



_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to