-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 08/09/2016 04:13 PM, Jose Luis Marin Perez wrote:
> Dear sirs,
>
> I have shorewall version 4.5.21.5 installed through RPM, a
> configuration has been made to ensure an internal network, that has
> been working well.
>
> A week ago about is being presented strange behavior as verified
> through logs the following:
>
> Aug 7 00:00:00 Seguridad kernel: Shorewall:fw2net:DROP:IN=
> OUT=eth1 SRC=200.48.129.3 DST=69.197.169.78 LEN=60 TOS=0x00
> PREC=0x00 TTL=64 ID=59233 DF PROTO=TCP SPT=42554 DPT=3306
> WINDOW=5840 RES=0x00 SYN URGP=0 Aug 7 00:00:00 Seguridad kernel:
> Shorewall:fw2net:ACCEPT:IN= OUT=eth1 SRC=200.48.170.59
> DST=164.132.170.78 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58084 DF
> PROTO=TCP SPT=37529 DPT=1520 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 7
> 00:00:01 Seguridad kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth1
> SRC=200.48.97.226 DST=190.196.123.25 LEN=60 TOS=0x00 PREC=0x00
> TTL=64 ID=61407 DF PROTO=TCP SPT=40418 DPT=80 WINDOW=5840 RES=0x00
> SYN URGP=0 Aug 7 00:00:02 Seguridad kernel:
> Shorewall:fw2net:ACCEPT:IN= OUT=eth1 SRC=200.48.158.212
> DST=69.30.224.86 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17682 DF
> PROTO=TCP SPT=50763 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 7
> 00:00:02 Seguridad kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth1
> SRC=200.48.95.43 DST=149.202.219.49 LEN=60 TOS=0x00 PREC=0x00
> TTL=64 ID=54444 DF PROTO=TCP SPT=48415 DPT=1520 WINDOW=5840
> RES=0x00 SYN URGP=0
>
> As you will see from the external requirements FW IP 200.48.129.3
> are properly locked however from other IP that are unknown does
> allow access, these IP are not configured on any interface.
>
> What is happening is that saturates the bandwidth because many
> requirements of this type.
>
> This is my interface settings:
>
> INTERFACES #ZONE INTERFACE OPTIONS net eth1
> dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc
> eth0 tcpflags,nosmurfs,routefilter,logmartians vpn
> tosysb
>
>
> IFCONFIG eth1 200.48.129.3
>
> What could be happening?
>
Some application on the firewall system is initiating connections on
port 80 at a rapid pace. You can see what the application is via:
netstat -tnap | fgrep :80
If you are running a proxy like Squid on your firewall and the above
command shows that the connections are all coming from Squid, then you
need to look at the Squid log to see which local system is initiating
the connections; it may have been compromised.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJXq0RiAAoJEJbms/JCOk0QnW8P/0FafpGRX+XNcovfydLo5emX
VWigwXkp3yPhdAQ2SPCLSuOvq5eVTNj26tZJ9euInhwTiU8et8jocgKm6oR05Kew
wdhDyDBr70e8MB8ZtNe8icLjjJnl3kT4T68H+q58ogeuE4G9xol5xuP5V5fnq3zN
bIj9c6ktGzZMmfDGvKQls7wfmbyCJo/Mah+9sXO5qgOJT4Ld2KsDab+jVw8yHEbK
VpB6sPhicv8BAmaUShGz5Dfimha/IAbvKsrWGso0siA7IB8LM10nNTkNeamVhosK
l7BJcfth2zLFQttSBYqeefG5/U48D8oVsx8URi0z/dNlztWyNA17406PfXvjn6CY
i7/SMm/HhLDCV0wiyCbX/n+e3RDYGpAO52wH5aq565zcBNVCN557zqwzewLdBS3O
H8im1OrgqWIXb9H+IPDWhveuYJSK4YmcCPGeQCSsZ3l5NotuLVBHWmoKdXIAxxwf
BrMZlYmytMWUd7V9i3HiOCB8yfdBpvWY1sH+BLySljLwAozp5cKnYbuxA18lk9ww
FAROAQOXivrck0kjs/UDRoJkjIJFuVX5R7AuU54ANx4ZxKKDM6m92k+N8mbPJp6D
7TdrRbI17QQAxt20veoBNgtjeqGZgXB0oOavIzla6p8OEedjG4i6YQ/2XwhqTqAv
Iomh5g34RabtpWxQR9Rr
=YzcG
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
