On Wed, 2 Jul 2003, Jim Hubbard wrote: > OK, I'm baffled by this. I have Roadrunner cable, which went > down for about a day. When it came back up, I noticed my > LEAF-Bering (v1.0-stable) firewall was getting hit a lot on udp > port 1191 and it just hasn't stopped. I've also got some other > hits that I just don't understand - take a look: > > > Jul 2 21:00:02 jericho kernel: Shorewall:net2all:DROP:IN=eth1 > OUT= MAC=00:80:c6:fb:63:59:00:08:20:cc:8c:54:08:00 > SRC=199.166.24.1 DST=66.56.165.39 LEN=56 TOS=0x00 PREC=0x00 > TTL=236 ID=56933 DF PROTO=ICMP TYPE=3 CODE=3 [SRC=66.56.165.39 > DST=199.166.24.1 LEN=65 TOS=0x00 PREC=0x00 TTL=49 ID=60613 > FRAG:64 PROTO=UDP ]
199.166.24.1 is telling 66.56.165.39 that it received a udp packet from 66.56.165.39 destined for a port (code 3) on 199.166.24.1 that was not reachable (type 3) (no service listening). > I don't understand the part that's in brackets. My net interface > is eth1 at ip address 66.56.165.39. My loc network is > 192.168.1.0/24 and my dmz is 192.168.2.0/24. > > And then here is a port 1191 hit: > > > Jul 2 21:03:27 jericho kernel: Shorewall:net2all:DROP:IN=eth1 > OUT= MAC=00:80:c6:fb:63:59:00:08:20:cc:8c:54:08:00 > SRC=66.227.182.56 DST=66.56.165.39 LEN=68 TOS=0x00 PREC=0x00 > TTL=113 ID=24809 PROTO=UDP SPT=2034 DPT=1191 LEN=48 > > > I tried setting udp1191 to reject (rather than drop), but then > then hits started coming in on tcp1191! I've also had a lot of > hits on udp3182, and when I tried rejecting those, they started > coming in on tcp3182 as well. I just don't know what to make of > all this. In the course of a day, I've been getting more than > 3000 hits sometimes. None of this, as far as I know, was > happening before the outage occurred. Could this be some sort of > probe Roadrunner is doing? Could be. But you haven't said anything about what protocols you have going outbound that might be prompting this either. 66.227.182.56 seems to be a firewalled linux box somewhare in Charter Communications of Michigan's network, but there are many possible legitimate explanations in addition to the obvious unfriendly possibilities. If you can determine (by examining your network traffic ... don't jump to conclusions without data) that nothing your systems are doing is prompting this, then you can a) send a request to [EMAIL PROTECTED] (tech contact for the network manager for 66.227.182.56 obtained from http://samspade.org) providing a summary of what you have seen and asking for an explanation and/or correction, or b) add a drop rule to Shorewall to keep your logfiles from filling up. (a) will probably have no discernable effect, so if you don't have any dirty datastreams going out then you will probably end up with (b). --------------------------------------------------------------------------- Jeff Newmiller The ..... ..... Go Live... DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/Batteries O.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --------------------------------------------------------------------------- ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
