Re: [Leaf-user] Dachstein Firewall status

Matt Schalit Tue, 13 Nov 2001 18:38:30 -0800

Kory Krofft wrote:
> 
> All this talk about the weblet message logs has me wondering. My firewall log
> states that since yesterday I have almost 3000 denied or rejected packets.  I
> included a sample of the log entries below. Can someone  please explain what
> these lines mean? Do I have a problem? Is there a way to reset the logs from the
> browser?
> 
> Thanks,
> Kory
> 
>   Nov 13 18:53:27 markii kernel: Packet log: input DENY eth0 PROTO=6
> 65.11.220.95:2905
>   65.28.237.42:80 L=48 S=0x00 I=30599 F=0x4000 T=110 SYN (#39)


This one was one of those code red scans, destined for
your web port (80).


>   Nov 13 18:55:25 markii kernel: Packet log: input DENY eth0 PROTO=17
> 65.28.237.196:427
>   224.0.1.22:427 L=675 S=0x00 I=5278 F=0x0000 T=253 (#39)
>   Nov 13 18:57:23 markii kernel: Packet log: input DENY eth0 PROTO=17
> 65.28.234.99:427
>   224.0.1.22:427 L=81 S=0x00 I=60946 F=0x0000 T=31 (#39)
>   Nov 13 19:07:17 markii kernel: Packet log: input DENY eth0 PROTO=17
> 65.28.234.99:427
>   224.0.1.22:427 L=81 S=0x00 I=47352 F=0x0000 T=31 (#39)
>   Nov 13 19:07:59 markii kernel: Packet log: input DENY eth0 PROTO=17
> 65.28.236.136:42
>   224.0.1.24:42 L=47 S=0x00 I=21740 F=0x0000 T=1 (#39)


These four were UDP packets that were sent to a multicast ip
address (224.any.thi.ng).  As 99% of us do no mutlticast client
or server activity, you can safely ignore those.  If you don't
want to see them (and if there's too many of them) then you can
change rule #39 so that the '-l' log command is no there.  Then
the packets will be denied, but not logged.


>   Nov 13 19:14:04 markii kernel: Packet log: input DENY eth0 PROTO=6
> 65.14.161.151:4929
>   65.28.237.42:80 L=48 S=0x00 I=34082 F=0x4000 T=112 SYN (#39)


Another code red to port 80 (or could be a valid request to port 80,
but my guess is you have no public web server, and it's code red).



>   Nov 13 19:17:11 markii kernel: Packet log: input DENY eth0 PROTO=17
> 65.28.234.99:427
>   224.0.1.22:427 L=81 S=0x00 I=33817 F=0x0000 T=31 (#39)
>   Nov 13 19:27:06 markii kernel: Packet log: input DENY eth0 PROTO=17
> 65.28.234.99:427
>   224.0.1.22:427 L=81 S=0x00 I=20302 F=0x0000 T=31 (#39)
>   Nov 13 19:37:00 markii kernel: Packet log: input DENY eth0 PROTO=17
> 65.28.234.99:427
>   224.0.1.22:427 L=81 S=0x00 I=6786 F=0x0000 T=31 (#39)


More of the same multicast traffic destined for a 224.x.y.z address.
Also, on the sourceforge website, there's a ipchains log file howto 
decode faq.

Good Luck,
Matthew

_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Dachstein Firewall status

Reply via email to