Jim, Since nobody else has replied, I'll take a crack.
An rfc1918 packet arrived at your external interface and you have "norfc1918" specified on that interface. Most likely originated from your ISP's equipment, hit your firewall, and was dropped by norfc1918. A successful guess of your internal network # is, as far as I know, worthless to a potential attacker. I am not personally aware of any attack based on guessing internal network #s.... BTW, don't think of these addresses as "unroutable" for they are certainly routable. But most internet routers will not route them by default. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Ford Sent: Saturday, December 10, 2005 8:26 AM To: leaf-user Subject: [leaf-user] Puzzling Shorewall log entry? Trying to understand the Shrorewall logs on my Bering ULibC setup, I'm puzzled over the following entry, of which I've had several: Dec 10 06:47:01 firewall rfc1918 DROP eth0 eth1 192.168.0.2 192.168.1.64 TCP 2595 54321 1410215655 63659 ACK PSH 0 The rfc1918 address 192.168.0.2 is not one I use and as it's unroutable, should not have arrived at my eth0. 192.168.1.64 is the IP address of the machine I'm running Azereus on. The destination port 54321 is the one I use for my Azereus bittorrent client. The source port 2595 is 'World Fusion 1' - whatever that might be! Has someone taken a guess at what the private IP address range I might be using, spoofed it and tried tried to slip in via my open Arereus port? If so, what would have happened if they had correctly guessed at the IP range I use? (BTW, am I giving anything important to potential intruders by revealing the above info?) Jim Ford ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/