Shorewall users - Aug 2003 - Help with interpreting log

Does these log entries make sense to anyone?

Aug 11 19:32:26 localhost kernel: Shorewall:logdrop:DROP:IN=eth0
OUTMAC=ff:ff:ff:ff:ff:ff:00:06:5b:f8:58:1e:08:00 SRC=192.168.1.72
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=60874 PROTO=UDP
SPT=137 DPT=137 LEN=58

Aug 11 19:45:41 localhost kernel: Shorewall:logdrop:DROP:IN=eth0
OUTMAC=ff:ff:ff:ff:ff:ff:00:06:5b:f8:3a:f4:08:00 SRC=192.168.1.71
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=65245 PROTO=UDP
SPT=137 DPT=137 LEN=58


I am not using the 192.168.1.0 network.

I have eth0 facing the internet with a routable IP address.

I am using proxy arp so I assigned 10.0.0.2 to eth1 which currently connects
to a single server.

That server''s IP address is on the same network as eth0 and is also
listed
in the proxyarp config file.

The firewall appears to be working properly but is generating log entries
like the ones above almost every minute.

Thanks,

Steve Ledwith
San Jose Web

On Mon, 11 Aug 2003, Steve Ledwith wrote:
> Does these log entries make sense to anyone?
Yes -- and they will to you also if you read FAQ 17...

Basically, you have an idiot living in your neighborhood. You can alter
your rfc1918 file to stop the messages or simply ignore them...

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

LOL,

To funny. :)

That poor person is asking to hacked. Windows keeps the Security Sector moving
right along.
> Basically, you have an idiot living in your neighborhood. You can alter
> your rfc1918 file to stop the messages or simply ignore them...
JBanks


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

Hi Steve,

Monday, August 11, 2003, 6:51:09 PM, you wrote:

SL> Does these log entries make sense to anyone?
SL> Aug 11 19:32:26 localhost kernel: Shorewall:logdrop:DROP:IN=eth0
OUTSL> MAC=ff:ff:ff:ff:ff:ff:00:06:5b:f8:58:1e:08:00 SRC=192.168.1.72

I see the same sort of thing from 10.0.0.76 port 110 on my ppp0 interface.
I do not use the 10.x address space on my localnet.

When I look at my email headers I can see that 10.0.0.74 is
the address of a working mail server run by my provider.

So...it appears my provider has a past history
of using the 10.0.0.x address space for it''s servers.
..and I''m getting hit on port 110....hmmmmmm.
2+2=4?

Perhaps my provider has a forgottan about some old
mailsever that was supposed to be taken out of service???

The firewall denials are much to regular to be
some sort of spoof attack. They come in groups of
4 at seemingly stable intervals, though I haven''t
taken the time to sleuth what interval/timeperiod.

...and what is a pop mail box trying to do - I thought
that with a pop server, it''s only responding to pop
requests...as opposed to originating them as this box
seems to be doing.

Plus...my ppp0 ip addy is always in the 209.193.x.x
address space...so how the heck does a packet from
a 10.x address even get to me in the first place?                               
shorewall-users@lists.shorewall.net
I thought 10.x addresses were non routable to begin with.

I''m mystified.
Enlightenment appreciated!
-- 
Best regards

I had the same thing happen when I first got dsl installed. It didn''t
make any sense until I
started to get into networking somewhat. My connection to the ISP was a bridged
connection. Not
routed. When you have a routed connection everything is routed at the modem.
Meaning that even
know my dsl modem sat right on my desk the connection really wan''t
being routed per say at the dsl
modem. The modem was sending signals to the isp that then routed the packets out
to the internet.

So in all actuality my modem might as well of been sitting at the ISP. Now
depending  on how they
do things with their equipment and personal will show in this respect. If they
don''t have things
plugged in like they should and access list''s configured correctly
switches and routers configured
correctly internally then you will indeed see allot of traffic that
doesn''t make sense. You might
as well just pretend that your plugged into the same hub that all of the other
networks are
plugged into if things aren''t configured correctly. Most of what
you''ll see is broadcast
traffic.and actually what kind of equipment/technology that they are using
(ATM,Frame Relay,Packet
Switching, dsl versus cable will have some bearning as well.  

Cable technology is shared. Everyone taps into the same trunk on the way to the
isp. DSL is a
dedicated connection/circut to the ISP. We used to actualy have the ability to
browse other
peoples shares. The isp didn''t know what they hell they were doing.
This was durning the .com
boom. Little long winded. But hopefully I''m not as tired as I think I
am, and this made some
sense. :)

JBanks

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

On Mon, 2003-08-11 at 23:14, Cliff wrote:
> Hi Steve,
> 
> Monday, August 11, 2003, 6:51:09 PM, you wrote:
> 
> SL> Does these log entries make sense to anyone?
> SL> Aug 11 19:32:26 localhost kernel: Shorewall:logdrop:DROP:IN=eth0
OUT> SL> MAC=ff:ff:ff:ff:ff:ff:00:06:5b:f8:58:1e:08:00 SRC=192.168.1.72
> 
> I see the same sort of thing from 10.0.0.76 port 110 on my ppp0 interface.
> I do not use the 10.x address space on my localnet.
> 
> When I look at my email headers I can see that 10.0.0.74 is
> the address of a working mail server run by my provider.
> 
> So...it appears my provider has a past history
> of using the 10.0.0.x address space for it''s servers.
> ..and I''m getting hit on port 110....hmmmmmm.
> 2+2=4?
> 
> Perhaps my provider has a forgottan about some old
> mailsever that was supposed to be taken out of service???
It is perfectly acceptable for an ISP to use RFC 1918 addresses within
their infrastructure. This is pointed out in the QuickStart guides. A
POP3 server that serves customers would be a good choice for such use by
an ISP.
> 
> The firewall denials are much to regular to be
> some sort of spoof attack. They come in groups of
> 4 at seemingly stable intervals, though I haven''t
> taken the time to sleuth what interval/timeperiod.
> 
> ...and what is a pop mail box trying to do - I thought
> that with a pop server, it''s only responding to pop
> requests...as opposed to originating them as this box
> seems to be doing.
I''m betting that it is a response to one of YOUR internal systems that
is trying to connnect to this server to pull email via POP3.
> 
> Plus...my ppp0 ip addy is always in the 209.193.x.x
> address space...so how the heck does a packet from
> a 10.x address even get to me in the first place?                          
shorewall-users@lists.shorewall.net
> I thought 10.x addresses were non routable to begin with.
The INTERNET BACKBONE ROUTERS don''t route these ip addresses -- other
routers (at your ISP) are free to deal with them in any way that they
choose.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Joshua,

Thatzwat I thought.
Provider is clueless.
God knows I can''t talk to anyone at their
tech support and get them to act on the
situation, or to even pretend that they
are knowledgable.

Thanks for the insight.




JB> I had the same thing happen when I first got dsl installed. It
didn''t make any sense until I
JB> started to get into networking somewhat. My connection to the ISP was a
bridged connection. Not
JB> routed. When you have a routed connection everything is routed at the
modem. Meaning that even
JB> know my dsl modem sat right on my desk the connection really
wan''t being routed per say at the dsl
JB> modem. The modem was sending signals to the isp that then routed the
packets out to the internet.

JB> So in all actuality my modem might as well of been sitting at the ISP.
Now depending  on how they
JB> do things with their equipment and personal will show in this respect. If
they don''t have things
JB> plugged in like they should and access list''s configured
correctly switches and routers configured
JB> correctly internally then you will indeed see allot of traffic that
doesn''t make sense. You might
JB> as well just pretend that your plugged into the same hub that all of the
other networks are
JB> plugged into if things aren''t configured correctly. Most of what
you''ll see is broadcast
JB> traffic.and actually what kind of equipment/technology that they are
using (ATM,Frame Relay,Packet
JB> Switching, dsl versus cable will have some bearning as well.  

JB> Cable technology is shared. Everyone taps into the same trunk on the way
to the isp. DSL is a
JB> dedicated connection/circut to the ISP. We used to actualy have the
ability to browse other
JB> peoples shares. The isp didn''t know what they hell they were
doing. This was durning the .com
JB> boom. Little long winded. But hopefully I''m not as tired as I
think I am, and this made some
JB> sense. :)

JB> JBanks

JB> __________________________________
JB> Do you Yahoo!?
JB> The New Yahoo! Search - Faster. Easier. Bingo.
JB> http://search.yahoo.com



-- 
Best regards