[Leaf-user] Confusing packet in firewall logs
I know "What's this in my logs" is a common query, but I really am confused this time. I'm getting a few of these in /var/log/messages per minute. Jan 15 10:40:14 firewall kernel: Packet log: input DENY eth0 PROTO=6 192.168.254 .254:80 217.149.96.2:61797 L=44 S=0x00 I=23250 F=0x T=60 (#42) Jan 15 10:40:29 firewall kernel: Packet log: input DENY eth0 PROTO=6 192.168.254 .254:80 217.149.96.2:61795 L=44 S=0x00 I=23251 F=0x T=60 (#42) I'm confused because eth0 is my external interface. 217.149.96.2 is the ext IP of the firewall. 192.168.254.254 doesn't appear anywhere on the LAN. The log analyser at http://www.echogent.com/cgi-bin/fwlog.pl tells me it's a return packet from a website someone on my network is trying to view, but given the 192.168.x.x source address I'm not sure that's correct. One more thing that may be significant (or just simple coincidence), I had our ADSL service changed from NAT to no-NAT in December, and the NAT router's internal address was 192.168.254.254. I changed over from Eigerstein to Dachstein at the same time though (effectively starting from scratch), so I don't think it's possible I've got some old setting in the firewall still hidden somewhere. Does anyone have any ideas? thanks Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Confusing packet in firewall logs
Sorry for replying to myself, but although I don't fully understand what was going on I seem to have made the problem stop. At 11:44 15/01/02 +, Julian Church wrote: >I'm getting a few of these in /var/log/messages per minute. > >Jan 15 10:40:14 firewall kernel: Packet log: input DENY eth0 PROTO=6 >192.168.254 >.254:80 217.149.96.2:61797 L=44 S=0x00 I=23250 F=0x T=60 (#42) I switched the ADSL router's power off then on about an hour ago, and haven't had any of these packets since. I was getting several of these packets per minute so I think it's fair to conclude that the problem has been solved. So it seems pretty certain that the fault was with the router somehow. My guess is that the router started sporadically NAT-ing packets again, giving them it's old/default NAT'd internal IP address 192.168.254.254. I suppose it's worth noting (for the benefit of others who might experience similar problems) that the Model 5861 BT-branded ADSL routers that British Telecom install when you subscribe to their ADSL service can go spontaneously wonky in this particular way. cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Confusing packet in firewall logs
Julian: Heya. I'm going to go with what fwlog.pl is telling you on this one. :) The reply does indeed look to be from the "NAT router" you had previously at 192.168.254.254. There's no SYN flag set, so it's not a Code-Red packet, and it's coming at you at a very high port number (61000+) which is where LEAF boxes do their IP-masquerading. So...somewhere external to your LAN, a packet from 192.168.254.254 is finding its way to you. Perhaps...when you changed your ADSL service, your ISP gave your old router to someone else who is using it misconfigured? As to why your firewall is logging these at all...the stock ruleset on Dachstein logs anything that comes from a source IP of 192.168.x.y. Unless you changed that as part of your new setup, it's still in there. Hope this helps! -Scott > From: Julian Church <[EMAIL PROTECTED]> > Subject: [Leaf-user] Confusing packet in firewall logs > > I know "What's this in my logs" is a common query, but I really am confused > this time. > I'm getting a few of these in /var/log/messages per minute. > > Jan 15 10:40:14 firewall kernel: Packet log: input DENY eth0 PROTO=6 > 192.168.254 > .254:80 217.149.96.2:61797 L=44 S=0x00 I=23250 F=0x T=60 (#42) > Jan 15 10:40:29 firewall kernel: Packet log: input DENY eth0 PROTO=6 > 192.168.254 > .254:80 217.149.96.2:61795 L=44 S=0x00 I=23251 F=0x T=60 (#42) > > I'm confused because eth0 is my external interface. 217.149.96.2 is the > ext IP of the firewall. 192.168.254.254 doesn't appear anywhere on the LAN. > > The log analyser at http://www.echogent.com/cgi-bin/fwlog.pl tells me it's > a return packet from a website someone on my network is trying to view, but > given the 192.168.x.x source address I'm not sure that's correct. > > One more thing that may be significant (or just simple coincidence), I had > our ADSL service changed from NAT to no-NAT in December, and the NAT > router's internal address was 192.168.254.254. I changed over from > Eigerstein to Dachstein at the same time though (effectively starting from > scratch), so I don't think it's possible I've got some old setting in the > firewall still hidden somewhere. > > Does anyone have any ideas? > > thanks > > Julian > > -- > [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Confusing packet in firewall logs
Julian Church wrote: > > Sorry for replying to myself, but although I don't fully understand what > was going on I seem to have made the problem stop. > > At 11:44 15/01/02 +, Julian Church wrote: > >I'm getting a few of these in /var/log/messages per minute. > > > >Jan 15 10:40:14 firewall kernel: Packet log: input DENY eth0 PROTO=6 > >192.168.254 > >.254:80 217.149.96.2:61797 L=44 S=0x00 I=23250 F=0x T=60 (#42) > > I switched the ADSL router's power off then on about an hour ago, and > haven't had any of these packets since. I was getting several of these > packets per minute so I think it's fair to conclude that the problem has > been solved. So it seems pretty certain that the fault was with the router > somehow. My guess is that the router started sporadically NAT-ing packets > again, giving them it's old/default NAT'd internal IP address 192.168.254.254. Have you tried typing "192.168.254.254" in a web browser? Since it's using the http port you just may have some sort of configuration manager installed that comes along with the router, sort of like weblet on Eigerstein and Dachstein. I have a Motorola Surfboard SB4100 which has 192.168.100.1 configured for the browser -- Patrick Benson Stockholm, Sweden ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Confusing packet in firewall logs
Hi Patrick, At 22:16 15/01/02 +0100, Patrick Benson wrote: >Julian Church wrote: > > I was getting several of these > > packets per minute so I think it's fair to conclude that the problem has > > been solved. So it seems pretty certain that the fault was with the router > > somehow. My guess is that the router started sporadically NAT-ing packets > > again, giving them it's old/default NAT'd internal IP address > 192.168.254.254. > >Have you tried typing "192.168.254.254" in a web browser? Since it's >using the http port you just may have some sort of configuration manager >installed that comes along with the router, sort of like weblet on >Eigerstein and Dachstein. I have a Motorola Surfboard SB4100 which has >192.168.100.1 configured for the browser Yeah, it's got one of those pages, but I don't access it using the address 192.168.254.254. But I just now found that browsing to 192.168.254.254 makes the firewall produce packets very similar to the ones I was confused by yesterday in my logs... Jan 16 08:17:44 firewall kernel: Packet log: input DENY eth0 PROTO=6 192.168.254.254:80 217.149.96.2:62984 L=44 S=0x00 I=91 F=0x T=60 (#42) The router then just goes on producing them, and on and on and on - it's still doing it, so mystery solved! Many thanks for the pointers! Can anyone give me advice what to do with these things? I tried adding tcp_192.168.254.254_80 to SILENT_DENY but it doesn't seem to have done the trick for some reason. Also, I think it would be helpful to block requests from my LAN from reaching 192.168.254.254 port 80, so it's harder for anyone to accidentally set the router off doing this. Can anyone help? Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Confusing packet in firewall logs
Julian Church wrote: > Yeah, it's got one of those pages, but I don't access it using the address > 192.168.254.254. But I just now found that browsing to 192.168.254.254 > makes the firewall produce packets very similar to the ones I was confused > by yesterday in my logs... > > Jan 16 08:17:44 firewall kernel: Packet log: input DENY eth0 PROTO=6 > 192.168.254.254:80 217.149.96.2:62984 L=44 S=0x00 I=91 F=0x T=60 (#42) > > The router then just goes on producing them, and on and on and on - it's > still doing it, so mystery solved! Many thanks for the pointers! > > Can anyone give me advice what to do with these things? I tried adding > tcp_192.168.254.254_80 to SILENT_DENY but it doesn't seem to have done the > trick for some reason. Also, I think it would be helpful to block requests > from my LAN from reaching 192.168.254.254 port 80, so it's harder for > anyone to accidentally set the router off doing this. > > Can anyone help? Is that your model that is shown here? http://www.adslguide.org.uk/hardware/pictures.asp http://www.efficientnetworks.com/products/routbus.html Go into the configuration manager and disable as many items as you can without interfering with the upstream part to your ISP. You probably have DHCP settings installed for a LAN which you don't need, ie. This explains why you get traffic on your external LEAF interface from 192.168.254.254, because it's coming from the ADSL router itself. You seem to have 2 routers trying to do similar tasks which causes odd entries in your log. If you disable those unecessary items on the ADSL router then the LEAF router should handle those tasks instead, with firewalling, etc., and you let the ADSL router act as a pure router, funneling the traffic to LEAF which should be the "traffic policeman". I don't use ADSL, myself, so I have to avoid getting into deep water!.. ;-) Hope you resolve the issue!.. -- Patrick Benson Stockholm, Sweden ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Confusing packet in firewall logs
Hi Patrick At 13:06 16/01/02 +0100, Patrick Benson wrote: >Is that your model that is shown here? > >http://www.adslguide.org.uk/hardware/pictures.asp >http://www.efficientnetworks.com/products/routbus.html Yes it is, but BT supply the router with different software including no user-configurable options and without the extra features of the proper Efficient Networks badged version, like DHCP etc. Because of this the BT version's configuration manager is really just a status / login page. >Hope you resolve the issue!.. Solved it just now! My hunch was that once the ADSL router received an http request on 192.168.254.254 tcp port 80, it replies on the same port. When the firewall is set to DENY these packets they're just logged, dropped and ignored, the router gets no indication that the data has been received, so retries and retries and retries forever. I set the firewall to let these packets from this address and port pass through with : $IPCH -I input 1 -j ACCEPT -p tcp -s 192.168.254.254 80 ! -y -d 0/0 -i $EXTERN_IF So now (I suppose) the ADSL router can serve it's status page data properly, get whatever response it expects from the browser, and stop sending data. Thanks to everyone who helped. Julian Church. -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
