Nachman Yaakov Ziskind
2003-Sep-23 20:29 UTC
[Shorewall-users] Re: Shorewall-users Digest, Vol 10, Issue 68
> On Tue, 23 Sep 2003, Nachman Yaakov Ziskind wrote: > > > > Message: 6 > > > Date: 23 Sep 2003 11:39:41 -0700 > > > From: Tom Eastep <teastep@shorewall.net> > > > On Tue, 2003-09-23 at 11:07, Nachman Yaakov Ziskind wrote: > > > > > > > Basically, I''ve been left to fend for myself. So, I was wondering > > > > if there was anything I could develop on my end (I''m running > > > > Shorewall 1.4.4b) to glean more information about the > > > > attacker(s) ... > > > > > > I personally would modify my rfc1918 file to not log that source > > > address. > > > > IOW, just ignore it? *sigh* Maybe I should. But I get a LOT of them, > > sometimes several packets a second, and I''m wondering if my tiny little > > firewall (Bering LEAF v1.0) is getting overwhelmed. > > > > > Are the messages you posted the raw messages from your log or are they > > > produced by "shorewall show log"? If the latter, you might look at the > > > raw log; if you are lucky, there will be a MAC address logged (and the > > > address isn''t the address of your ISPs router). > > > > > > -Tom > > > > Alas, no luck. Those are from /var/log/messages. > > > > Suppose I''m looking at the firewall in the *middle of an attack*. Might > > other information be gleaned then? I''m just fishing for ideas. > > You can use tcpdump to capture the traffic during an attack. Also, look at > "arp -na" on your firewall; that will also show the MAC of device that is > sending you these packets (again, it may be your ISP''s router).Nothing from arp -na, I''m afraid, and I tried tcpdump with these options: # tcpdump -i eth0 -nvvv -s122 net 10.6.0.0 mask 255.255.0.0 with results like these: 22:59:19.690195 10.6.17.240.1025 > 38.119.130.2.137:>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICASTTrnID=0xF526 OpCode=0 NmFlags=0x0 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: NameWARNING: Short packet. Try increasing the snap length (ttl 115, id 24245, len 78) I believe -vvv is the most verbose option, and -s122 should give me the entire 78 byte packet. But nowhere do I see the MAC address, or other routing information. :-( I suppose I''m being clueless again (well, I *did* read the tcpdump man page). Any further suggestions? -- _________________________________________ Nachman Yaakov Ziskind, EA, LLM awacs@egps.com Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
Tom Eastep
2003-Sep-23 20:32 UTC
[Shorewall-users] Re: Shorewall-users Digest, Vol 10, Issue 68
On Tue, 23 Sep 2003, Nachman Yaakov Ziskind wrote:> > But nowhere do I see the MAC address, or other routing information. :-( >You need the -e option... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net