Hi, I set up my Shorewall gateway with the following logic: - accept incoming connections for ports tcp 443, 80, and several others. - all other connection attempts to other ports are dropped and the source IP address is included in an ipset blacklist so subsequent connection attempts even to "legit" open ports are dropped for x amount of time.
In general, this works fine. However, once in a while I get what seem to be false positives. For instance a known user usually connects fine to port 443 with an external IP address (1.2.3.4). Somehow, at some point Shorewall reports the following line in the log: IN=ppp3 OUT= MAC= SRC=1.2.3.4 DST=4.3.2.1 LEN=72 TOS=0x00 PREC=0x00 TTL=48 ID=46761 DF PROTO=UDP SPT=41152 DPT=58129 LEN=52 MARK=0x3 The user has no idea what this UDP connection is for, and I haven't found any program using this port (58129 is supposed to be in the dynamic range). In any case, there are similar examples with other UDP and TCP ports. So, could this really be unwanted/dangerous traffic, or am I being too conservative? Should I use TARPIT(honeypot) to see what kind of data is being sent in these cases? Does anyone have a working example to actually capture the data? Regards, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
