Hi,
After some recent maintenance work on our Bering 1.2 box, shorewall.log has begun showing strange connection attempts from local adresses in the network range 10.1.1.x to our ISP allocated IP address.
What do you call these "attempts from local adresses"? As I ead your logs, they come into your system from the ppp0 interface ... that is, from the Internet (or at least from your ISP).
Unless you've left out something material, it is likey that one of three things is going on.
1. Some other customer of your ISP has a "leaky router", and you are getting traffic from its internal addresss.
2. Your ISP uses some 10.b.c.d addresses for local purposes and you are seeing traffic from them. For example, I've know of ISPs who allow new customers to access the network before registering, but allow them to connect only to hosts on a local 10.b.c.d network (so they can register online, after which they can access public addresses). Also for example, ISPs often use 10.b.c.d addresses for hosts that serve purely local purposes, such as DHCP servers.
3. Some sort of attack is occurring. If that's it, your firewall seems to be successful in blocking it.
If I'm reading the entry right (and if I'm not, someone please correct me), it says that the Reset (RST) flag is set on these packets. In context, this means the responses are TCP Reject responses from various 10.1.1.d hosts that are not listening on port 80. Could someone on your LAN be trying, and failing, to reach a Web server run by your ISP?
Any ideas what can be the cause of this? None of the internal hosts use this address range, neither does any service (I know about) on Bering...
Thank you, Shango Oluwa.
Below is a sample of shorewall.log with our allocated IP replaced as a.b.c.d:
SRC=10.1.1.55 DST=a.b.c.d LEN=40 TOS=00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=9872 SEQ=2592007791 ACK=0 WINDOW=0 RST URGP=0 Mar 16 18:55:55 jungla Shorewall:rfc1918:DROP: IN=ppp0 OUT= MAC=71:10: SRC=10.1.1.76 DST=a.b.c.d LEN=40 TOS=00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=9185 SEQ=2566522239 ACK=0 WINDOW=0 RST URGP=0 Mar 16 18:55:56 jungla Shorewall:rfc1918:DROP: IN=ppp0 OUT= MAC=71:10: SRC=10.1.1.90 DST=a.b.c.d LEN=40 TOS=00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=61639 SEQ=2573827886 ACK=0 WINDOW=0 RST URGP=0 Mar 16 18:55:56 jungla Shorewall:rfc1918:DROP: IN=ppp0 OUT= MAC=71:10: SRC=10.1.1.55 DST=a.b.c.d LEN=40 TOS=00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=9325 SEQ=2591973530 ACK=0 WINDOW=0 RST URGP=0 Mar 16 18:55:57 jungla Shorewall:rfc1918:DROP: IN=ppp0 OUT=
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
