On Wed, Jan 01, 2020 at 11:12:51AM +0000, David Watkins wrote: > My configuration is a BT Homehub 5 as my ISP access point connected to my > shorewall firewall box on eth1 (192.168.1.1). My home network is connected > to the firewall on eth0 (192.168.0.1).
> 10s of thousands - mostly attempting to connect to port 37970. I do see that seems to be "trending" https://isc.sans.edu/port.html?port=37970 > 1. What's going on here and should I be worried? > > 2. Why is shorewall correctly blocking these packets but my BT Homehub > is not? The Homehub firewall is enabled and set to drop all > unsolicited incoming traffic. Are you sure ? Did you check its configuration ? And/or power cycle it? It's possible someone attacked it and reconfigured it for your.. > Dec 29 11:06:28 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= > MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=5.251.248.53 > DST=192.168.1.1 LEN=317 TOS=0x00 PREC=0x00 TTL=116 ID=5815 PROTO=UDP > SPT=42620 DPT=37970 LEN=297 It says DST=192.168.1.1, which means the "homehub" is forwarding incoming requests there. Either because you configured one (or apparently several) port forwards, or something similar like "DMZ host" setting. On Wed, Jan 01, 2020 at 01:00:13PM +0100, Witold Tosta wrote: > Or is it possible to set up this homehub as a transparent bridge? Without > routing and firewalling functions. .. Or because homehub is already set to bridging mode, which would exactly explains the behavior. > Dec 29 11:06:32 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT= > MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=5.251.248.53 > DST=192.168.1.1 LEN=131 TOS=0x00 PREC=0x00 TTL=116 ID=5816 PROTO=UDP > SPT=42620 DPT=37970 LEN=111 Note, there's not TCP packets shown, so we can't see what FLAGS were there, which would be interesting. Justin _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
