Hi All, I have set up the belt-and-suspenders approach firewall following the instructions on (http://www.skippy.net/linux/firewall/), yesterday I have came across this strange entry in my firewall1 logs, Am quite new to this, so not sure if this entry was normal or not, the strange thing is that both the SRC and DST address is not any of my ip range. Is this this because someone is trying to spoof the IP and trying to go out from on of my machines in DMZ? I can not figure out why my IP range (either from DMZ or firewall it self) is not in either of the SRC or DST section. I haven''t noticed any other strange behaviour. Please can anyone advice me on this? Also does any know of a good monitoring tool I can put to monitor traffic on DMZ and local network. eth1 is my loc nic (for DMZ) and eth0 is my nic connection to network. Sep 30 15:20:03 firewall1 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 SRC=169.254.216.213 DST=212.69.206.242 LEN=48 TOS=0x00 PREC=0x00 TTL=253 ID=11237 DF PROTO=TCP SPT=49152 DPT=110 WINDOW=32768 RES=0x00 SYN URGP=0 Sep 30 15:20:05 firewall1 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 SRC=169.254.216.213 DST=212.69.206.242 LEN=48 TOS=0x00 PREC=0x00 TTL=253 ID=11238 DF PROTO=TCP SPT=49152 DPT=110 WINDOW=32768 RES=0x00 SYN URGP=0 Thanks in advance. A. Karim.
Abdul Karim wrote:> > eth1 is my loc nic (for DMZ) and eth0 is my nic connection to network. > > Sep 30 15:20:03 firewall1 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 > SRC=169.254.216.213 DST=212.69.206.242 LEN=48 TOS=0x00 PREC=0x00 TTL=253 > ID=11237 DF PROTO=TCP SPT=49152 DPT=110 WINDOW=32768 RES=0x00 SYN URGP=0 > > Sep 30 15:20:05 firewall1 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 > SRC=169.254.216.213 DST=212.69.206.242 LEN=48 TOS=0x00 PREC=0x00 TTL=253 > ID=11238 DF PROTO=TCP SPT=49152 DPT=110 WINDOW=32768 RES=0x00 SYN URGP=0 >There''s a Windoze box in your DMZ that is configured for DHCP but was unable to contact a DHCP server. The Windoze box has configured it''s own dynamic IP address from the range reserved for that purpose (169.254.0.0/16). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> Abdul Karim wrote: > >> >> eth1 is my loc nic (for DMZ) and eth0 is my nic connection to network. >> Sep 30 15:20:03 firewall1 kernel: Shorewall:all2all:REJECT:IN=eth1 >> OUT=eth0 >> SRC=169.254.216.213 DST=212.69.206.242 LEN=48 TOS=0x00 PREC=0x00 TTL=253 >> ID=11237 DF PROTO=TCP SPT=49152 DPT=110 WINDOW=32768 RES=0x00 SYN URGP=0 >> Sep 30 15:20:05 firewall1 kernel: Shorewall:all2all:REJECT:IN=eth1 >> OUT=eth0 >> SRC=169.254.216.213 DST=212.69.206.242 LEN=48 TOS=0x00 PREC=0x00 TTL=253 >> ID=11238 DF PROTO=TCP SPT=49152 DPT=110 WINDOW=32768 RES=0x00 SYN URGP=0 > > > There''s a Windoze box in your DMZ that is configured for DHCP but was > unable to contact a DHCP server. The Windoze box has configured it''s own > dynamic IP address from the range reserved for that purpose > (169.254.0.0/16). >Actually, the Windoze box could be in your local network if the above messages are being reported from the outer firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Thanks Tom, I have to have a look at my machines on local network. if it''s from my internal network I have a internal DHCP server which all local machine are getting their ip adress from and is allocating correct IPs on the local network. I will also look at all my machines in DMZ, it is possible it could be one of them as I did at one stage have one or two on the internal network using DHCP. Thanks. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, October 01, 2002 5:39 PM To: Abdul Karim Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] Strange firewall log Tom Eastep wrote:> Abdul Karim wrote: > >> >> eth1 is my loc nic (for DMZ) and eth0 is my nic connection to network. >> Sep 30 15:20:03 firewall1 kernel: Shorewall:all2all:REJECT:IN=eth1 >> OUT=eth0 >> SRC=169.254.216.213 DST=212.69.206.242 LEN=48 TOS=0x00 PREC=0x00 TTL=253 >> ID=11237 DF PROTO=TCP SPT=49152 DPT=110 WINDOW=32768 RES=0x00 SYN URGP=0 >> Sep 30 15:20:05 firewall1 kernel: Shorewall:all2all:REJECT:IN=eth1 >> OUT=eth0 >> SRC=169.254.216.213 DST=212.69.206.242 LEN=48 TOS=0x00 PREC=0x00 TTL=253 >> ID=11238 DF PROTO=TCP SPT=49152 DPT=110 WINDOW=32768 RES=0x00 SYN URGP=0 > > > There''s a Windoze box in your DMZ that is configured for DHCP but was > unable to contact a DHCP server. The Windoze box has configured it''s own > dynamic IP address from the range reserved for that purpose > (169.254.0.0/16). >Actually, the Windoze box could be in your local network if the above messages are being reported from the outer firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net