I noticed there are some strange log in one of my home pc (400sc) running debian sid/shorewall. Somehow this packet passed my home server (dell) running debian sarge and reached the 400sc. I don''t understand how could it penetrate the shorewall in the the server as I didn''t set up any port forwarding at all. I hope someone here can give my some insights on what this means and how could I prevent it from happenging again. Here is my home network setup: dsl---eth0---dell/debian sarge/shorewall | eth1(192.168.0.1) | | wired connection | dlink wireless router | | wired connection | eth0(192.168.0.40) | 400sc/debian sid/shorewall And here is the strange message from 400sc log: Dec 5 20:42:25 400sc kernel: Shorewall:eth0_mac:REJECT:IN=eth0 OUTMAC=mac of 192.168.0.40/eth0:mac of 192.168.0.1/eth1:08:00 SRC=202.108.45.50 DST=192.168.0.40 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=45333 DF PROTO=TCP SPT=80 DPT=35863 WINDOW=58 RES=0x00 ACK URGP=0 I can attached the config files if needed. Thanks, -- suan ----------------------------------------------------------------- ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Friday 09 December 2005 17:06, suanccd@gmail.com wrote:> I noticed there are some strange log in one of my home pc (400sc) running > debian sid/shorewall. Somehow this packet passed my home server (dell) > running debian sarge and reached the 400sc. I don''t understand how could it > penetrate the shorewall in the the server as I didn''t set up any port > forwarding at all. I hope someone here can give my some insights on what > this means and how could I prevent it from happenging again. > > Here is my home network setup: > dsl---eth0---dell/debian sarge/shorewall > > eth1(192.168.0.1) > > | wired connection > > dlink wireless router > > | wired connection > > eth0(192.168.0.40) > > 400sc/debian sid/shorewall > > And here is the strange message from 400sc log: > Dec 5 20:42:25 400sc kernel: Shorewall:eth0_mac:REJECT:IN=eth0 OUT> MAC=mac of 192.168.0.40/eth0:mac of 192.168.0.1/eth1:08:00 > SRC=202.108.45.50 DST=192.168.0.40 LEN=52 TOS=0x00 PREC=0x00 TTL=46 > ID=45333 DF PROTO=TCP SPT=80 DPT=35863 WINDOW=58 RES=0x00 ACK URGP=0 >Given that this packet is being rejected because of MAC filtration, looks to me like a maclist configuration error. Note that it is a simple response packet from a remote web server somewhere on the net. Also given that the packet is going through maclist filtration, it is in the NEW state even though it is not a SYN packet. So for some reason, Shorewall doesn''t know about this connection -- possibly because of packet loss during session termination or because your firewall was rebooted within the last several days. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 09 December 2005 17:28, Tom Eastep wrote:> Also given that the packet is going through maclist filtration, it is in > the NEW state even though it is not a SYN packet.Actually, it could also be in the INVALID state which is more likely. The rest of my post still applies. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key