I'm getting some firewall messages here and I'm suspecting that they're
not attacks; that they are some fault in the firewall.
Here are couple of typical ones:
Mar 2 21:07:29 saturn kernel: TCP drop IN=eth0 OUT=
MAC=00:e0:81:05:43:80:00:30:19:31:73:a8:08:00 SRC=66.120.90.134
DST=146.115.228.77 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=0 DF PROTO=TCP
SPT=80 DPT=35854 WINDOW=0 RES=0x00 RST URGP=0
Mar 3 11:13:11 saturn kernel: TCP drop IN=eth0 OUT=
MAC=00:e0:81:05:43:80:00:30:19:31:73:a8:08:00 SRC=205.156.51.200
DST=146.115.228.77 LEN=118 TOS=0x10 PREC=0x00 TTL=46 ID=54845 PROTO=TCP
SPT=21 DPT=36414 WINDOW=65500 RES=0x00 ACK PSH FIN URGP=0
I have hundreds of others as well. The distinguishing characteristic is
that the fault is coming from the other guys server port to my client port
number. I have literally hundreds from noaa.gov on their ftp port(21). I
have my gkrellm using the gkrellweather widget which fetches the weather
every 5 minutes and I suspect that it happens over ftp.
The pot 80 hits seem to happen on *some* web sites that I visit using
netscape.
Here are the relevant fragments of my firewall as they relate to
ports 21 and 80. I am running no ftp server but I am running a web
server (apache).
#
# FTP (20, 21) - Allowing outgoing client access to remote FTP servers
#
if [ $FTP_CLIENT -gt 0 ]; then
# Outgoing request
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 21 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state
ESTABLISHED,RELATED \
--sport 21 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT
# Normal Port mode FTP data channels
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport 20 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state
ESTABLISHED,RELATED \
--sport $UNPRIVPORTS --dport 20 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT
# Passive mode FTP data channels
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $ANYWHERE -j
ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state
ESTABLISHED,RELATED \
--sport $UNPRIVPORTS --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j
ACCEPT
if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote FTP servers"
fi
fi
#
# HTTP (80) - Accessing remote web sites as a client
#
if [ $HTTP_CLIENT -gt 0 ]; then
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 80 -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP -m state --state
ESTABLISHED,RELATED \
--sport 80 --dport $UNPRIVPORTS -s $ANYWHERE -d $EXTERNAL_IP -j ACCEPT
if [ $VERBOSE -gt 0 ]; then
echo "firewall: Clients may access remote HTTP servers"
fi
fi
#
# HTTP (80) - Allowing remote access to a local web server
#
if [ $HTTP_SERVER -gt 0 ]; then
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 80 -s $MY_HTTP_CLIENTS -d $EXTERNAL_IP -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state
ESTABLISHED,RELATED \
--sport 80 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_HTTP_CLIENTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p TCP \
--sport $UNPRIVPORTS --dport 8080 -s $MY_HTTP_CLIENTS -d $EXTERNAL_IP -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p TCP -m state --state
ESTABLISHED,RELATED \
--sport 8080 --dport $UNPRIVPORTS -s $EXTERNAL_IP -d $MY_HTTP_CLIENTS -j ACCEPT
if [ $VERBOSE -gt 0 ]; then
echo "firewall: Remote clients may access local HTTP server"
fi
fi
Any ideas? I don't know if I'm doing anything wrong or if they are.
TIA
--
-Time flies like the wind. Fruit flies like a banana. Stranger things have -
-happened but none stranger than this. Does your driver's license say Organ
-Donor?Black holes are where God divided by zero. Listen to me! We are all-
-individuals! What if this weren't a hypothetical question? [EMAIL PROTECTED]
