Hello Brian the actuall number of packet logs is not that important. for example edonky and programms like that make a lot connection trys Your summary shows that almost all connections came from 193.163.220.4 proxy-scanner.eris.dk
The intersting thing would be to see what kind of packages the ones from or to this ip are. > I have the following message > > Thu Feb 6 09:49:28 UTC 2003 > > firewall Firewall Status: error > > You have 438 denied or rejected packets in your recent packet logs. > > See the messages in the log files for details > Or check the hits sorted by port or by IP adress > > > and when I look at the log file this is what it has (excerpt) > Feb 6 08:31:05 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:60:08:08:6d:f3:00:03:4b:ab:10:0e:08:00 SRC=144.134.250.37 > DST=203.217.17.249 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=41523 DF PROTO=TCP > SPT=1146 DPT=3511 WINDOW=8192 RES=0x00 SYN URGP=0 token apart this means at feb 6 08:31:05 the Shorewall chain net2all DROP dropped a package comeing from the eth0 interface (IN=eth0) and was mend for the firewall ( OUT= ) (info on eth0 MAC=00:60:08:08:6d:f3:00:03:4b:ab:10:0e:08:00) The source addres from this package was: SRC=144.134.250.37 and the destination ( DST=203.217.17.249) which should have been your external ip at that moment. The protocoll was TCP the src port 1146 and the destination port 3511 further Package information : length 48 Type of service 00 Timetolive 120 The syn bit was set so it was a "start of communication" ( LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=41523 DF PROTO=TCP > SPT=1146 DPT=3511 WINDOW=8192 RES=0x00 SYN URGP=0 ) -------------------------------------------------------- You should read now some of the denyed or dropped packages from the 193.163.220.4 host. It might seem that you have outgoing connections to this host that are blocked ( IN= resp OUT= ) and if the ports are changeing ( than it might be a scan) or that it is allways the same port that tries to connect ( for example with a configuration error) - > hits port Service > 42 1080 > 28 8080 webcache > 28 6552 > 28 23 telnet > > > sorted by ip address > > Hits IP-Adress Date > 406 193.163.220.4 Feb 6 > 7 24.192.28.48 Feb 6 > 6 202.129.102.26 Feb 6 > 6 144.134.250.37 Feb 6 > 4 192.168.1.254 Feb 6 > 3 24.123.122.189 Feb 6 > 3 203.59.187.164 Feb 6 > 3 203.45.122.188 Feb 6 > > what does it mean?? am i being attacked or is it something in shorwall that > I have not configured properly? > good luck Eric Wolzak member of the bering crew ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html