At 08:06 AM 10/29/02 +0100, Jon Clausen wrote:
I'm not at all sure but I suspect there might be *some* connectionMe either, except to note that P2P services make a lot of connections to and from poorly configured systems. If your ISP uses private address 10.131.224.1 for some specialized purpose (a plausible example would be a server that does PPPoE authentication), a configuration error by some morpheus user elsewhere could be causing a routing error from your end. Just a guess, of course.
between the hordes of denied icmp-messages discussed before (see quote
below), and the fact that one of the kids on the lan is running
"Morpheus" (a P2P filesharing app).
Quick ascii reminder:
Inet---Dachstein---LAN---(host running Morpheus)
|
DMZ
|
Linux server
On Mon, Oct 14, 2002 at 11:15:11PM -0700, Ray Olszewski wrote:
> At 07:24 AM 10/15/02 +0200, Jon Clausen wrote:
> >O.K. full log entry:
> >Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1
> >10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x0000 T=243 (#9)
>
> OK. It's what I guessed above ... an icmp "host unreachable" message.
> There's probably a secret decoder ring for this stuff online somewhere, but
> I use a book. Here's the pieces:
>
> PROTO=1 protocol 1 is icmp
> 10.131.224.1:3 10.131.224.1 is the source IP, of course;
> the "port" is the icmp message type, 3=Destination
> unreachable
> 62.243.222.62:1 62.243.222.62 is the destination IP, as usual;
> the "port" is the icmp message code, 1=host
> unreachable
>
> Without seeing the content of the packet (which does not get logged), we
> have no way to know what host this is about.
>
> >As I said, there are a bunch of this kind of entries, all
> >PROTO=1 <some-ip>:3 62.243.222.62:1 L=56 S=0x00 I varying T varying (#
> >varying)
> >
> >It starts at 11:36:39 continues through the day to 21:11:20
Which *could* fit with:
11:36 kid opens windows/morpheus, dumdedum all day to
21:11 kid shuts down, goes to bed
Now, why morpheus on the lan should result in incoming martian icmp
messages on eth0, I haven't any idea...(?) BUT
My guess is no. Any vulnerabilities here are in the application layer of closed-source software. For each P2P app to work, you have to let the app connect to the Internet. In any case, I've never heard of a P2P proxy for the common P2P services ... has anyone?More generally; This being a residential network, I have no authority to block P2P apps outright. So I would like some opinions/advice WRT the following:P2P being the potential security hazard it is, would it make sense to place a P2P "proxy" in the dmz? (And try to beef up security on it)
As to "where to begin" ... a good place to start with this sort of question is at Google. A search on "Morpheus ports" turned up a ton of listings, including this one:Bandwidth. This stuff needs to be throttled. This is something I've been wanting to get into, but since the documentaion on Morpheus amounts to "This is the best P2P app... ever!" I've no idea where to begin. Does anyone have links to docs on the ports/protocols used for these types op apps? (Morpheus/Kazaa/Gnutella/whathavewe)
http://www.oofle.com/iptables/filesharing.htm
A search on "kazaa ports" turned up this one (among others):
http://www.geocrawler.com/archives/3/90/2002/6/0/8906982/
Guntella looks a bit tougher to control, but "Gnutella ports" did turn this up:
http://www.nwconnection.com/2001_09/gnutel91/
While this identifies the ports, it does not address the issue of bandwidth throttling. I don't know if speed controls can be imposed port by port; perhaps someone else can comment on that part.
These are more of conceptual/conversational questions, since I've done little research of my own yet. I thought it'd be nice to get some pointers ideas on *what* to research first...
-- -------------------------------------------"Never tell me the odds!"-------- Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] ------------------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html