mds:
Huh. These are interesting:
> Jun 15 23:50:55 bluetrout kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.0.2:137 a.b.c.d:137 L=78 S=0x00 I=1498 F=0x0000 T=107 (#11)
>
[snip]
>
> Now, the interesting things are these:
>
> [1] 192.168.0.2 is an DHCP leased address on our internal (eth1), masq'd
> network -- powered OFF. How could it come in eth0, anyway?
>
> [2] a.b.c.d is a static address in our DMZ (eth2), which is on and on
> which I am running an active SSH session.
The most important detail here is that it was caught
on the input chain of your eth0 interface. As long as you don't
have the wires mixed up, I'd day unquestionably that these packets
came from the outside. Further, the T=107 is telling: IIRC, Windoze
machines start at 128, unix/Linux/BSD machines typically at 256.
Now, the 192.168.x.y is clearly not unique to your LAN.
So, even though it's the same IP address as one you use, anyone on
the outside could forge a packet with this source IP address. In
fact, if someone was trying to be malicious, they might just try
and "stuff" a packet like this into your external interface. Just
to see if your firewall was setup at all correctly.
Lastly, let me take a guess as to *why*. Some attacks are
blind ones, where the attacker sends packets to a machine, and
doesn't really care what the replies are. It either succeeds or it
does not. It's like logging onto your LRP box: I bet without looking
at the screen, you could logon as root and flush the firewall. My
point: if someone is sending these blind attacks to your machines
NETBIOS ports, attempting some exploit, they might as well "sign"
the packets so that they appear to come from your own LAN.
That's my guess. :) I'd be a lot more worried, but your
firewall appears to have handled it just fine.
-Scott
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
