Re: Ipchains question

Steve Shah Tue, 21 Mar 2000 09:02:43 -0800
On Tue, Mar 21, 2000 at 10:59:34AM +0100, Esteve Camps wrote:
> Ok. That's correct. Do you know if it happens during normal
> navigation? I mean, before that "attack" I had been accessing
> www.informit.com pages and the ip adress of the logged packet seemed
> to come from there (sent through port 80). Is that posible? What
> would it correspond to?

Which of my suggestions is correct? ;-)

If the source port is 80 from a web site you had just been accessing,
then it is probably just a straggling packet that didn't make back to
you in time. (not an attack) It depends on what the flags in the
packet were set to. 

If you're curious about what normal connections look like (and thus
what might constitute a rogue packet), I highly recommend getting
TCP/IP Illustrated Vol. 1 by Richard Stevens. He steps through all the
details of TCP and IP with wonderful clarity. 

-Steve



> > Do you mean you got a log entry that looked like this?
> >
> > Mar 19 16:55:09 trillian kernel: Packet log: input DENY eth1 PROTO=6
> > 192.168.1.1:34539 192.168.1.2:1433 L=40 S=0x00 I=49099 F=0x0000
> > T=49 SYN (#8)
> >
> > ??
> >
> > If so, then someone was poking at you. (Not uncommon.) If the kernel
> > denied a SYN/ACK and for some reason you can't connect to outside
> > hosts from the inside, then you've misconfigured your firewall.
> >
> > Assuming your IP Masquerading works correctly, it is most likely the
> > case that someone was just poking at your firewall to see if something
> > would respond at 1433. Don't worry too much -- it isn't uncommon to
> > get scanned/poked/prodded from the Internet. (Even if you're connected
> > via DSL, cable modem, or just dial up PPP...) Your firewall is kindly
> > doing its job and not forwarding that packet to your inside network.
> >
> > -Steve
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]

-- 
______________________________________________________________________________
Steve Shah ([EMAIL PROTECTED]) | Alteon Web Systems Inc. (Developer/Sysadmin)
    http://www.alteon.com     |   Voice: 408.360.5500  Fax: 408.360.5500
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             Beating code into submission, one OS at a time...
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
Re: Ipchains question

Reply via email to
