RE: [leaf-user] Puzzling Shorewall log entry?

Mon, 12 Dec 2005 08:54:03 -0800 

Jim,

Since nobody else has replied, I'll take a crack.

An rfc1918 packet arrived at your external interface and you have
"norfc1918" specified on that interface.

Most likely originated from your ISP's equipment, hit your firewall, and was
dropped by norfc1918.  A successful guess of your internal network # is, as
far as I know, worthless to a potential attacker.  I am not personally aware
of any attack based on guessing internal network #s.... 

BTW, don't think of these addresses as "unroutable" for they are certainly
routable.  But most internet routers will not route them by default.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Ford
Sent: Saturday, December 10, 2005 8:26 AM
To: leaf-user
Subject: [leaf-user] Puzzling Shorewall log entry?


Trying to understand the Shrorewall logs on my Bering ULibC setup, I'm
puzzled over the following entry, of which I've had several:

Dec 10  06:47:01        firewall        rfc1918 DROP    eth0    eth1
192.168.0.2     192.168.1.64    TCP     2595    54321   1410215655
63659   ACK     PSH     0

The rfc1918 address 192.168.0.2 is not one I use and as it's unroutable,
should not have arrived at my eth0. 192.168.1.64 is the IP address of the
machine I'm running Azereus on. The destination port 54321 is the one I use
for my Azereus bittorrent client. The source port 2595 is 'World Fusion 1' -
whatever that might be!

Has someone taken a guess at what the private IP address range I might be
using, spoofed it and tried tried to slip in via my open Arereus port? If
so, what would have happened if they had correctly guessed at the IP range I
use?

(BTW, am I giving anything important to potential intruders by revealing the
above info?)

Jim Ford



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Reply via email to