i suppose it would've been a little more helpful for me to detail that, sorry :( 192.0.1.7 is the firewall's IP, 192.0.1.11 is the XP machine. FYI, I have two other winxp machines that are NOT showing up in the logs. eth0 is my internal network, eth1 is the external.
thanks guys- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott C. Best Sent: Monday, August 12, 2002 11:42 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Windows XP attacking my firewall? Matt: That's an interesting firewall log. Two quick questions spring to mind: 1. The source-IP is 192.0.1.11, the dest is 192.0.1.7, but this is coming in on the eth0 interface of your firewall. So... how does your LEAF firewall connected to your WinXP box? I'm presuming that 192.0.1.11is the WinXP box, but I can't tell what LEAF's eth0 IP address is. 2. UDP port 1900 is Universal Plug&Pray (UPnP) not ssdp. The original releases of WinXP had a vulnerability with this service. But since the traffic is all local (192.0.1.x for both source and dest) I doubt it's an attack; it's probably just normal UPnP activity. Still, it'd help to know: which is your WinXP machine? -Scott > in /var/log/syslog i get the following error repeated three times every 25 > seconds: > > Aug 9 15:45:23 firewall kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= > MAC=00:04:76:e2:6c:6c:00:40:95:30:aa:71:08:00 SRC=192.0.1.11 DST=192.0.1.7 > LEN=160 TOS=0x00 PREC=0x00 TTL=128 ID=10522 PROTO=UDP SPT=1037 DPT=1900 > LEN=140 > > a quick look on the TCP/IP common port listings suggests that this is due to > ssdp. would that make sense? should i be authorizing a port on the firewall > to allow XP to do this? ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
