Tom Reinertson wrote:
> > Do you happen to be running IP Masquerading? The port numbers look like they are
> > coming from a masqueraded machine.
>
> Yes. I have a Windows machine using the port, however, at the time of the tcpdump I
> had nothing active on the Windows machine -- no ftp, no IE, nada. In fact, at the
> same time, I had another tcpdump on the eth0 connection to be sure no packets were
> coming across from the Windows macine. It was absolutely quiet.
>
> > Another possibility, although very unlikely,
> > is that your ISP has its terminal server setup in such a way that it is on a
> > shared media segment. You might then see traffic from others that are logged
> > in. What is the subnet mask on your ppp0 interface when you are logged in? It
> > probably should be something like 255.255.255.252. I just checked mine and it
> > was 255.255.255.255 when diald initiated the connection and 255.255.255.252 when
> > I used the script I wrote when I first signed up with my ISP. I added the
> > "netmask 255.255.255.252" option to my diald.conf file.
>
> Maybe I don't understand your question, but I thought all ppp connections had a
> netmask of 255.255.255.255. I checked with ifconfig and verified that. How could
> it be otherwise? Your idea of a shared media segment is intriguing because, as I
> said in the first post, it looks as if I was watching traffic from some other
> machine whizzing past to the ISP. But since I'm on a ppp connection I don't know
> how that would be possible.
It depends on what kind of hardware USWest is using to support dialup.
The reason I asked about your subnet mask was to determine how many possible hosts
could
appear on your subnet with your ISP.
It looks like diald defaults to a netmask of 255.255.255.255, I don't know if this
applies to any Class for the local address or not, I use a Class A, 10.0.0.1. The
netmask carries over from the tap0 interface to the ppp0 interface after the connection
is made. Try adding the "netmask 255.255.255.252" and you should see 255.255.255.252
on
your tap0 interface before diald dials and then on the ppp0 interface after diald
completes the call.
When I initially setup Linux and pppd to my ISP, they (my ISP) told me that the netmask
would be 255.255.255.252. This mask allows a subnet with two hosts, you and your ISP.
I really do not understand a subnet mask of 255.255.255.255, this would imply zero
hosts
(invalid?). Maybe someone else could enlighten me.
> Gyepi suggested that someone may be routing packets thru my machine, but the more I
> think about it, the less reasonable it seems. If I'm on the dead end of a line
> between two machines, how could anything be routed thru me?
There may be some logic to Gyepi's statement. What if someone using USWest, in your
area, had hardcoded a default route on their PC to point to the IP address you just
happen to have gotten when you connected. Their traffic would route to you, and would
be forwarded back to your default route (the P-t-P address from ifconfig for ppp0) and
on to the internet. Their traffic would then be routed through your machine. And I
thought my shared segment idea was far fetched.
Related questions:
Are you running routed or gated? Unless you have your own real IPs you probably should
not run either. I would imagine USWest would get irate if they noticed. Does this
problem happen whenever USWest is busy?
Was the USWest IP address (Odialup194.slkc.uswest.net (Salt Lake City?)), from the
tcpdump posted earlier, the address of your ppp0 interface? Try running tcpdump
without
name translation, use the -n option, and compare your ppp0 address with those from the
tcpdump. If they are not the same, and there is no traffic on the eth0 side of your
Linux box, then the chances are good that you are seeing the traffic of others using
the
USWest segment that you are dialed into. Make a note of the times, dates and IP
addresses you saw, and then call or email USWest. Red flags should go up that
something
on their end is misconfigured.
One more thing to look at: Run "netstat -an | more" and verify that nothing on your
linux machine has open connections to the IP addresses you see in the tcpdump. Pretty
unlikely unless the traffic is really coming from the linux machine. If there are
connections open at your linux machine, then I would presume you are being hacked.
BTW: Your network looks pretty much like mine.
Bob...
--
--------------------------------------------------------
Bob Chiodini [EMAIL PROTECTED]
--------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
