On Thu, Jun 20, 2002 at 11:35:54AM -0400, Akom wrote: > I'm getting a bit concerned about what's going in my logs for the past couple > of days. I'm running Bering 1.0 rc2 with Shorewall 1.3.1, standard run of the > mill setup: > > external eth0: dhcp, norfc1982, noping, routefilter, blacklist > internal eth1: routestopped > > External is cable, internal is a 192.168.2.0/24 > > Portforwarded inside the eth0 net is a single server running a bunch of stuff > including opennap (port 8888): 192.168.2.1 > > I normally get my share of spoofed ip packets in the logs all the time, which I > ignore, however this time they don't look healthy as they are destined for the > internal IP of my server and it's been happening for a couple of days about > every 3 minutes: > > Jun 20 10:33:31 firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 > SRC=192.168.0.2 DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=11842 DF > PROTO=TCP SPT=3093 DPT=8888 WINDOW=65535 RES=0x00 SYN URGP=0 > Jun 20 10:33:31 firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 > SRC=192.168.0.2 DST=192.168.2.1 LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=12354 DF > PROTO=TCP SPT=3093 DPT=8888 WINDOW=65535 RES=0x00 ACK URGP=0
Get tcpdump.lrp (and libm.lrp and libpcap.lrp) and install them. Then run tcpdump -i eth0 -s0 -n host <internal_IP> ...on one virtual console, and tcpdump -i eth1 -s0 -n host <internal_IP> ...on the other. Use "Alt-Fx" to switch to console x. Then sit back and watch. If you have the capability to store some data, then add the following option to each: -w /some/path/to/store/a/dump/at/dump.dat If you use -w, you'll get no output on screen, but there'll be a dump on disk. Then you can read the dump with ethereal (recommended!) on a full system with X - or show it to others, too. There's also software to "despoof" addresses, but I forget which it is or where it is. ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
