Re: [leaf-user] Bering, Diagnosing Weblet LRP status warnings

[Brian Miller SMITH]

Thanks, a bit out of my depth and unfortunately the log file got so big that it froze the firewall machine, hence cannot give you an exceprt of messages for 193.163.220.4 . I had to remove daemontl to stop the machine from freezing due to the log file getting bigger than the available space. Is there a way to save the log file to hdd and or have it stop logging when the space is low. I have configure bering to run (boot) from a hdd, but I think the whole firewall is running in ram (if Iam not mistaken)


Thank you

From: "Eric Wolzak" <[EMAIL PROTECTED]>
To: "Brian Miller SMITH" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: [leaf-user] Bering, Diagnosing Weblet LRP status warnings
Date: Thu, 6 Feb 2003 01:37:59 +0100

Hello Brian

the actuall number of packet logs is not that important.
for example edonky and programms like that make a lot connection
trys
Your summary shows that almost all connections came from
193.163.220.4 proxy-scanner.eris.dk

The intersting thing would be to see what kind of packages
the ones from or to this ip are.
> I have the following message
>
> Thu Feb 6 09:49:28 UTC 2003
>
> firewall Firewall Status: error
>
> You have 438 denied or rejected packets in your recent packet logs.
>
> See the messages in the log files for details
> Or check the hits sorted by port or by IP adress
>
>
> and when I look at the log file this is what it has (excerpt)

> Feb 6 08:31:05 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
> MAC=00:60:08:08:6d:f3:00:03:4b:ab:10:0e:08:00 SRC=144.134.250.37
> DST=203.217.17.249 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=41523 DF PROTO=TCP
> SPT=1146 DPT=3511 WINDOW=8192 RES=0x00 SYN URGP=0
token apart this means

at feb 6 08:31:05 the Shorewall chain net2all DROP dropped a
package comeing from the eth0 interface (IN=eth0) and was mend
for the firewall ( OUT= )
(info on eth0 MAC=00:60:08:08:6d:f3:00:03:4b:ab:10:0e:08:00)
The source addres from this package was: SRC=144.134.250.37
and the destination ( DST=203.217.17.249) which should have been
your external ip at that moment. The protocoll was TCP the src port
1146 and the destination port 3511
further Package information : length 48 Type of service 00
Timetolive 120 The syn bit was set so it was a "start of
communication"
( LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=41523 DF
PROTO=TCP
> SPT=1146 DPT=3511 WINDOW=8192 RES=0x00 SYN URGP=0 )
--------------------------------------------------------
You should read now some of the denyed or dropped packages from
the 193.163.220.4 host. It might seem that you have outgoing
connections to this host that are blocked ( IN= resp OUT= ) and if the
ports are changeing ( than it might be a scan) or that it is allways the
same port that tries to connect ( for example with a configuration
error) -

> hits port Service
> 42 1080
> 28 8080 webcache
> 28 6552
> 28 23 telnet
>
>
> sorted by ip address
>
> Hits IP-Adress Date
> 406 193.163.220.4 Feb 6
> 7 24.192.28.48 Feb 6
> 6 202.129.102.26 Feb 6
> 6 144.134.250.37 Feb 6
> 4 192.168.1.254 Feb 6
> 3 24.123.122.189 Feb 6
> 3 203.59.187.164 Feb 6
> 3 203.45.122.188 Feb 6
>
> what does it mean?? am i being attacked or is it something in shorwall that
> I have not configured properly?
>
good luck
Eric Wolzak
member of the bering crew

_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html