On Sun, Aug 18, 2002 at 11:30:55PM +0200, Manfred Schuler wrote: > in the last few weeks I discovered some unknown traffic on my firewall. > I inserted a rule to log all traffic on the input and output chains and found that >the > incoming packet is neither rejected nor denied, but answered by the firewall. > I am using a stock eigerstein2beta firewall with no port redirection and no >additional > ports opened. > > What I don't understand is why the packets are not denied and who is responding to >this > packets.
> tcpdump: > > 13:24:08.722724 213.168.220.62.2605 > 80.134.34.59.1214: S 229201904:229201904(0) >win 8192 > <mss 536,nop,nop,sackOK> (DF) > 13:24:08.722724 80.134.34.59.1214 > 213.168.220.62.2605: R 0:0(0) ack 229201905 win 0 > 13:24:09.752724 213.168.220.62.2605 > 80.134.34.59.1214: S 229201904:229201904(0) >win 8192 > <mss 536,nop,nop,sackOK> (DF) > 13:24:09.752724 80.134.34.59.1214 > 213.168.220.62.2605: R 0:0(0) ack 1 win 0 > 13:24:10.452724 213.168.220.62.2605 > 80.134.34.59.1214: S 229201904:229201904(0) >win 8192 > <mss 536,nop,nop,sackOK> (DF) > 13:24:10.452724 80.134.34.59.1214 > 213.168.220.62.2605: R 0:0(0) ack 1 win 0 > 13:24:11.352724 213.168.220.62.2605 > 80.134.34.59.1214: S 229201904:229201904(0) >win 8192 > <mss 536,nop,nop,sackOK> (DF) > 13:24:11.352724 80.134.34.59.1214 > 213.168.220.62.2605: R 0:0(0) ack 1 win 0 According to whois, the source is coming from (abridged output): inetnum: 213.168.220.0 - 213.168.220.255 netname: NORDCOM descr: nordCom descr: dynamic dialin for internet services country: DE admin-c: HNC-ORG tech-c: HNC-ORG status: ASSIGNED PA mnt-by: NORDCOM-MNT changed: [EMAIL PROTECTED] 20010427 source: RIPE route: 213.168.192.0/19 descr: nordCom Routing origin: AS13247 notify: [EMAIL PROTECTED] mnt-by: NORDCOM-MNT changed: [EMAIL PROTECTED] 20000703 source: RIPE role: Hostmaster Nordcom address: Nordcom address: Doetlinger Str. 6-8 address: D-28197 Bremen address: Germany e-mail: [EMAIL PROTECTED] Looking at your output, they are sending you some sort of packet destined for port 1214 on your firewall (80.134.34.59) and your firewall IS rejecting it, using the TCP RST flag (ReSeT). Your firewall can send a RST, or ignore the packet entirely; in this case, it sends a RST. I don't know what port 1214 is supposed to be for, but port 2605 is BGP (a routing protocol) - surprise surprise... ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
