To All who replied,
Interesting that port 37970 is trending. My Googling failed to find that
out so thanks for that pointer.
I'm fairly sure my BT Homehub setup hasn't been compromised (except by BT
themselves who seem to be able to fiddle with it if they wish). I'll
change the admin password and restart it to make sure - the firewall is
definitely showing as up.
I'll also try turning off UPnP to see what affect that has, though my gut
feeling is that this isn't the problem here.
Interesting comment about the TCP Flags also. I didn't really know they
existed. I'll do some research on those and see if I can learn anything.
There are no TCP packets in the log to port 37970 but there are similar TCP
packets aimed at other ports. I've attached a very small snippet of the
'messages' log. Does that show the Flags?
Otherwise I think you've reinforced my suspicion that the Homehub is not
behaving as it should, and I'll take that up on the BT User forums. There
are some WAN and DMZ settings I think that I can look at which may not be
correctly set I suppose. Making it transparent seems a good idea.
I think my Shorewall firewall is behaving as it should. I did wonder if
the presence of the firewall box upstream was confusing the Homehub, but I
don't think that's the case? I'll concentrate my attention on the Homehub.
Best Wishes and thanks for your help.
D
On Wed, 1 Jan 2020 at 15:20, Witold Tosta <witold.to...@gmail.com> wrote:
> > On Wed, Jan 01, 2020 at 01:00:13PM +0100, Witold Tosta wrote:
> >> Or is it possible to set up this homehub as a transparent bridge?
> Without
> >> routing and firewalling functions.
>
> I meant full transparent mode for this homehub device. Not even DMZ
> mode, where all the traffic coming to a given port is forwarded further
> 1: 1 to the same ports behind it. I used to have an ADSL modem that
> could work in two modes. First: a DMZ router that worked like the DMZ
> mode above. And the transparent bridge modem mode, which was invisible
> to the user. As a result, the Internet IP address was already seen on
> the linux shorewall router interface. Also, the attacker was not able to
> reprogram the ADSL modem, because he did not see the IP address of this
> device at all. Maybe your homehub is able to be set up in a similar way.
> Then you will rule out the weakness of this device's security and you
> will be able to control traffic through the shorewall firewall.
>
> Best regards.
> Witek
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
Dec 29 05:01:56 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=220.121.97.43 DST=192.168.1.1
LEN=44 TOS=0x00 PREC=0x00 TTL=234 ID=7849 PROTO=TCP SPT=59466 DPT=8933
WINDOW=1024 RES=0x0
0 SYN URGP=0
Dec 29 05:02:44 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=92.53.127.123 DST=192.168.1.1
LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=60460 PROTO=TCP SPT=52219 DPT=3348
WINDOW=1024 RES=0x
00 SYN URGP=0
Dec 29 05:02:53 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=92.119.160.68 DST=192.168.1.1
LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=10768 PROTO=TCP SPT=48901 DPT=4018
WINDOW=1024 RES=0x
00 SYN URGP=0
Dec 29 05:03:13 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=61.74.237.13 DST=192.168.1.1
LEN=44 TOS=0x00 PREC=0x00 TTL=45 ID=49490 PROTO=TCP SPT=56932 DPT=2323
WINDOW=55148 RES=0x0
0 SYN URGP=0
Dec 29 05:03:23 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=92.118.37.74 DST=192.168.1.1
LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=38878 PROTO=TCP SPT=52060 DPT=28983
WINDOW=1024 RES=0x
00 SYN URGP=0
Dec 29 05:03:32 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=92.118.37.74 DST=192.168.1.1
LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=63822 PROTO=TCP SPT=52060 DPT=59935
WINDOW=1024 RES=0x
00 SYN URGP=0
Dec 29 05:03:59 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=81.22.45.219 DST=192.168.1.1
LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=54841 PROTO=TCP SPT=40846 DPT=6689
WINDOW=1024 RES=0x0
0 SYN URGP=0
Dec 29 05:04:04 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=92.118.37.74 DST=192.168.1.1
LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=387 PROTO=TCP SPT=52060 DPT=18064
WINDOW=1024 RES=0x00
SYN URGP=0
Dec 29 05:04:18 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=185.200.118.44
DST=192.168.1.1 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=44298
DPT=3128 WINDOW=65535 RES=
0x00 SYN URGP=0
Dec 29 05:04:20 piccolo kernel: Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:60:81:3a:06:73:9c:80:df:47:1a:26:08:00 SRC=45.136.108.123
DST=192.168.1.1 LEN=44 TOS=0x00 PREC=0x00 TTL=239 ID=44698 PROTO=TCP SPT=50450
DPT=6263 WINDOW=1024 RES=0
x00 SYN URGP=0
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
