Shorewall users - Jan 2003 - OT:

For the last couple of days, I''ve been seeing a bunch of these from 8 
different domains from Germany to South Korea, etc.  Can anyone give me an 
idea as to what may be going on?

Jan 24 09:37:18 omega kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= 
SRC=xx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=44 TOS=0x00 PREC=0x00 TTL=49 
ID=47415 DF PROTO=TCP SPT=53121 DPT=25 WINDOW=5840 RES=0x00 CWR ECE SYN 
URGP=0

The odd thing is that half of these are from domains we don''t accept
email
from and the rest are from TLDs of countries we block mail from.  Even more 
curious is that we are on a dialup so our IP moves around.
-- 
Sed quis custodiet ipsos custodes?
=========================================================================Robin
Lynn Frank - Director of Operations - Paradigm-Omega, LLC
Copyright and PGP/GPG info in mail or message headers.
Email acceptance policy at http://paradigm-omega.com/email_policy.html
==========================================================================

--On Friday, January 24, 2003 11:00 AM -0700 Robin Lynn Frank 
<rlfrank@paradigm-omega.com> wrote:
> For the last couple of days, I''ve been seeing a bunch of these
from 8
> different domains from Germany to South Korea, etc.  Can anyone give me
> an  idea as to what may be going on?
>
> Jan 24 09:37:18 omega kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC>
SRC=xx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=44 TOS=0x00 PREC=0x00 TTL=49
> ID=47415 DF PROTO=TCP SPT=53121 DPT=25 WINDOW=5840 RES=0x00 CWR ECE SYN
> URGP=0
>
> The odd thing is that half of these are from domains we don''t
accept
> email  from and the rest are from TLDs of countries we block mail from.
> Even more  curious is that we are on a dialup so our IP moves around.
Don''t have a clue. I''ve seen no recent upsurge in smtp probes.

   HITS  PORT SERVICE(S)
   ---- ----- ----------
    131  1433 ms-sql-s
     50    80 http
     35    21 ftp
     28    57
     19   443 https
      7   500 isakmp
      7 14002
      6  6112
      5  1080 socks
      4 37852
      4   161 snmp
      3  8080 webcache
      3  3128 squid
      2   135
      1    81
      1  8081 tproxy
      1  8000
      1  7656
      1  6588
      1  5625
      1  4480
      1  1180
      1   110 pop3
[root@gateway root]#

Interesting to see that ECN is being offered in the SYN packets you are 
seeing though...Hmmmm

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net