[masq] interpreting ipfwadm logs

Sun, 20 Dec 1998 11:52:12 -0500 

Hello.

I realize that this may be somewhat off-topic, but I figure many of you
will have some knowledge in this area.

Last week, I got a cable modem and set my linux box to act as a masq'ing
server and firewall.

I've been keeping an eye on my log files to see what the firewall has been
turning away and I'm surprised to actually see some traffic.  Here is a
sample.  x.x.x.x is my linux box's IP to the world, and I chopped the dates
of the front to shorten the lines.  This block came in within a 30 second
span.

IP fw-in deny eth0 TCP 153.36.25.22:17031 x.x.x.x:1080 L=44 S=0x00 I=32514
F=0x0000 T=50
IP fw-in deny eth0 TCP 153.36.25.22:17031 x.x.x.x:1080 L=44 S=0x00 I=32660
F=0x0000 T=50
IP fw-in deny eth0 TCP 153.36.25.22:20554 x.x.x.x:143 L=44 S=0x00 I=32762
F=0x0000 T=50
IP fw-in deny eth0 TCP 153.36.25.22:20554 x.x.x.x:143 L=44 S=0x00 I=32899
F=0x0000 T=50
IP fw-in deny eth0 TCP 153.36.25.22:22681 x.x.x.x:635 L=44 S=0x00 I=33009
F=0x0000 T=50
IP fw-in deny eth0 TCP 153.36.25.22:22681 x.x.x.x:635 L=44 S=0x00 I=33184
F=0x0000 T=50
IP fw-in deny eth0 TCP 153.36.25.22:25546 x.x.x.x:143 L=44 S=0x00 I=33272
F=0x0000 T=50
IP fw-in deny eth0 TCP 153.36.25.22:25546 x.x.x.x:143 L=44 S=0x00 I=33410
F=0x0000 T=50
IP fw-in deny eth0 TCP 153.36.25.22:28793 x.x.x.x:67 L=44 S=0x00 I=33505
F=0x0000 T=50
IP fw-in deny eth0 TCP 153.36.25.22:28793 x.x.x.x:67 L=44 S=0x00 I=33645
F=0x0000 T=50

Here's another that looks like an attempt to telnet into my box, again,
these all happened within a short timeframe:

IP fw-in deny eth0 TCP 24.0.165.89:3230 x.x.x.x:23 L=44 S=0x00 I=36275
F=0x0040 T=112
IP fw-in deny eth0 TCP 24.0.165.89:3230 x.x.x.x:23 L=44 S=0x00 I=3253
F=0x0040 T=112
IP fw-in deny eth0 TCP 24.0.165.89:3230 x.x.x.x:23 L=44 S=0x00 I=5048
F=0x0040 T=112
IP fw-in deny eth0 TCP 24.0.165.89:3230 x.x.x.x:23 L=44 S=0x00 I=21952
F=0x0040 T=112

Doing an nslookup on this incoming IP looks like some proxy server, or a
dynamically assigned IP address from uu.net and home.com respectively.

I'm curious if anybody explain a benign reason I may be getting these, or
are these really attempts to look/break into my system?

Thanks.

 --Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Reply via email to