I would read those messages to say that you are receiving packets with an inside
address (194.122.33.243) on the outside interface. So they are being denied because
the address is seen on the wrong interface (bad-if). This is a standard attack,
spoofing the inside address to perhaps get past filters.
-Michele
"David D.W. Downey" wrote:
> On Fri, 15 Dec 2000 [EMAIL PROTECTED] wrote:
>
> >
> > Hello,
> >
> > since 3 days now I'm getting the following entries in my logfile:
> >
> > Dec 15 12:30:15 firewall kernel: Packet log: bad-if DENY lo PROTO=1
> > 194.122.33.243:3 194.122.33.243:1 L=92 S=0xC0 I=4595 F=0x0000 T=255 (#1)
>
> If you look through the IPCHAINS-HOWTO you'll find some good info for you.
>
> Fromt he logs you can see that your first rule inthe input chains (the #!
> text at the end of the line) is causing your system to deny the inbound
> packet.
>
> 194.122.33.243 connecting from port 3 sent a packet to port 1 on your
> loopback interface (the lo)
>
> Port 1 is the TCP Multiplexor port (tcpmux) as seen from the /etc/services
> file
>
> tcpmux 1/tcp # TCP port service multiplexer
>
> Port 3 is the system's tcp compression port
>
> It's service name is called compressnet
>
> What exactly that is I can only guess. I **THINK** it's used when you send
> comrpessed packets accross a system eitehr during something like when you
> use some ftp sites ability to send you a compressed tarball of the ftp
> site itself. **BEAR IN MIND, I COULD BE WRONG!**
>
> To find out what particular ports are you can also hit
>
> http://www.stengel.net/tcpports.htm
> OR
> http://users.dhp.com/~whisper/mason/nmap-services (I like this one)
>
> Now, as to the WHY of your question, that is something I can not answer.
>
> --
>
> David D.W. Downey
> RHCE
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
