Shorewall users - Oct 2002 - HELP!

HELP!

My log shows this. I have a firewall with 3 NIC''s.

eth0 = internal net
eth1 = external net (Internet)
eth2 = dmz

eth1 has a real ip. 195.0.29.2.

The logs show this? It seems that my firewall tries to do something VERY
strange?

...
Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=195.0.29.2 DST=212.190.148.51
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1904 DPT=9000
Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=195.0.29.2 DST=212.190.148.51
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1905 DPT=9000
Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=195.0.29.2 DST=212.190.148.51
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1906 DPT=9000
...

What can I do to check what is going on?

Thanks!

Andy.

Andy.Geraerts@care4data.com wrote:
> HELP!
> 
> My log shows this. I have a firewall with 3 NIC''s.
> 
> eth0 = internal net
> eth1 = external net (Internet)
> eth2 = dmz
> 
> eth1 has a real ip. 195.0.29.2.
> 
> The logs show this? It seems that my firewall tries to do something VERY
> strange?
> 
> ...
> Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=195.0.29.2 DST=212.190.148.51
> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1904 DPT=9000
> Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=195.0.29.2 DST=212.190.148.51
> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1905 DPT=9000
> Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=195.0.29.2 DST=212.190.148.51
> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1906 DPT=9000
> ...
> 
> What can I do to check what is going on?
> 
You''ve truncated the messages so it''s a bit hard to tell but
it looks like
a process on your firewall is trying to connect to TCP port 9000 on 
212.190.148.51 (uu212-190-148-51.unknown.uunet.be). I would repeatedly 
"netstat -nap --tcp" to try to catch the program.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

How do I find out why this is getting logged? (I don''t want it
logged...)

Oct 17 16:30:56 lucy kernel: Shorewall:logpkt:LOG:IN=ppp0 OUT=eth0
SRC=208.203.56.245 DST=192.168.1.19 LEN=184 TOS=0x00 PREC=0x80 TTL=242
ID=30461 PROTO=UDP SPT=2233 DPT=2233 LEN=164

Ian Hunter wrote:
> How do I find out why this is getting logged? (I don''t want it
logged...)
> 
> Oct 17 16:30:56 lucy kernel: Shorewall:logpkt:LOG:IN=ppp0 OUT=eth0
> SRC=208.203.56.245 DST=192.168.1.19 LEN=184 TOS=0x00 PREC=0x80 TTL=242
> ID=30461 PROTO=UDP SPT=2233 DPT=2233 LEN=164
> 
Turn off ''logunclean'' on ppp0 if you don''t like
unclean packets being logged.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net