On 20 Feb 2015, at 16:00, Donald S. Doyle <[email protected]> wrote:
> Hi, > > I apologize for the lack of info: > > ISP > Shorewall > Servers > > Shorewall is on its own Linux box, router. Yes, this is my gateway. > Spiceworks is on one of the servers sitting behind the router. OK, 2 things come to mind : 1) When packet tracing, the packets still appear even if they are firewalled. Ie, at the bottom layer the packets still show even though they get dropped later in the network filter stack. This is only an issue when looking at traffic on the firewall itself. 2) Just what is the IDS picking up ? Even if the firewall drops all traffic to an IP, you may well still see connection attempts from the internal servers - these won't get answered, but you'll still see the initial TCP-Syn packets. IN fact, you may see more of them as connection attempts get retried after timeouts. So look first at what the IDS is actually detecting. If it's only TCP-Syn packets (ie a connection attempt) then that may be normal. Only if you get replies is there much to worry about. Now, that does change a little depending on the nature of the malware. For some sites, the fact that there is a connection attempt may be an indication that you have a system carrying a lurgy. For many, it'll be no more than a link buried in legitimate sites causing connection attempts. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
