On 1/1/2020 12:12 PM, David Watkins wrote: > Dear All, > > I'm a long time user of shorewall and haven't touched my shorewall > configuration for quite a while. > > My configuration is a BT Homehub 5 as my ISP access point connected to > my shorewall firewall box on eth1 (192.168.1.1). My home network is > connected to the firewall on eth0 (192.168.0.1). > > I've become interested in shorewall again because I have a logwatch task > that emails me a list of the dropped connections reported in the > 'messages' log. At the beginning there were a few hundred of these per > day; recently there have been a few thousand; but for the last three > days there have been 10s of thousands - mostly attempting to connect to > port 37970. > > Here's a very small sample: > > From 1.11.238.26 - 1 packet to udp(37970) > From 1.23.252.46 - 1 packet to udp(37970) > From 1.55.167.27 - 3 packets to tcp(8291,8728) > From 1.158.96.85 - 1 packet to udp(37970) > From 1.163.194.207 - 1 packet to udp(37970) > From 1.207.85.163 - 1 packet to udp(37970) > From 1.228.235.29 - 5 packets to udp(37970) > From 1.246.222.76 - 1 packet to udp(5353) > From 1.249.199.230 - 6 packets to udp(37970) > From 2.35.226.154 - 1 packet to udp(37970) > From 2.50.52.38 - 1 packet to udp(37970) > From 2.58.99.205 - 1 packet to udp(37970) > From 2.60.201.203 - 1 packet to udp(37970) > From 2.95.4.109 - 1 packet to udp(37970) > From 2.132.20.151 - 1 packet to udp(37970) > From 2.132.29.40 - 1 packet to udp(37970) > From 2.132.39.170 - 1 packet to udp(37970) > From 2.132.63.178 - 1 packet to udp(37970) > From 2.132.81.38 - 1 packet to udp(37970) > From 2.132.89.183 - 1 packet to udp(37970) > From 2.132.189.130 - 1 packet to udp(37970) > From 2.132.191.191 - 1 packet to udp(37970) > From 2.133.167.63 - 1 packet to udp(37970) > From 2.135.152.127 - 3 packets to udp(37970) > From 2.154.33.106 - 1 packet to udp(37970) > From 2.224.243.201 - 1 packet to udp(37970) > From 2.238.158.20 - 3 packets to udp(37970) > From 5.3.254.40 - 1 packet to udp(37970) > From 5.18.96.152 - 2 packets to udp(37970) > From 5.18.98.148 - 1 packet to udp(37970) > From 5.18.159.154 - 2 packets to udp(37970) > From 5.18.200.31 - 1 packet to udp(37970) > From 5.18.205.206 - 2 packets to udp(37970) > From 5.18.206.8 - 1 packet to udp(37970) > From 5.18.206.224 - 1 packet to udp(37970) > From 5.18.207.197 - 1 packet to udp(37970) > From 5.18.243.61 - 2 packets to udp(37970) > From 5.32.144.28 - 1 packet to udp(37970) > From 5.59.6.87 - 1 packet to udp(37970) > From 5.59.146.111 - 1 packet to udp(37970) > From 5.59.147.205 - 1 packet to udp(37970) > From 5.59.149.102 - 1 packet to udp(37970) > From 5.67.214.163 - 1 packet to udp(37970) > From 5.68.253.119 - 1 packet to udp(37970) > From 5.77.27.80 - 1 packet to udp(37970) > From 5.101.48.17 - 1 packet to tcp(4145) > From 5.129.197.88 - 1 packet to udp(37970) > From 5.129.219.237 - 3 packets to udp(37970) > From 5.136.98.65 - 1 packet to udp(37970) > From 5.137.51.1 - 1 packet to udp(37970) > From 5.138.141.203 - 2 packets to udp(37970) > From 5.140.41.44 - 1 packet to udp(37970) > From 5.140.48.210 - 1 packet to udp(37970) > From 5.142.42.139 - 1 packet to udp(37970) > From 5.142.44.66 - 1 packet to udp(37970) > From 5.142.193.187 - 1 packet to udp(37970) > From 5.143.188.239 - 1 packet to udp(37970) > From 5.143.194.171 - 2 packets to udp(37970) > From 5.153.138.226 - 1 packet to udp(37970) > From 5.158.237.163 - 1 packet to udp(37970) > From 5.164.145.50 - 1 packet to udp(37970) > > <snipped out similar from pretty much every single subnet range> > > From 217.77.212.175 - 1 packet to udp(37970) > From 217.107.106.164 - 2 packets to udp(37970) > From 217.107.115.154 - 1 packet to udp(37970) > From 217.107.124.64 - 1 packet to udp(37970) > From 217.112.59.244 - 1 packet to udp(37970) > From 217.113.252.40 - 1 packet to udp(37970) > From 217.114.234.23 - 1 packet to udp(37970) > From 217.114.236.85 - 1 packet to udp(37970) > From 217.118.81.23 - 1 packet to udp(37970) > From 217.118.81.238 - 2 packets to udp(37970) > From 217.149.180.78 - 1 packet to udp(37970) > From 217.150.73.168 - 1 packet to udp(37970) > From 217.159.171.202 - 1 packet to udp(37970) > From 217.250.170.80 - 1 packet to udp(37970) > From 218.4.179.246 - 2 packets to tcp(7001) > From 218.89.55.163 - 1 packet to tcp(59) > From 218.173.146.249 - 2 packets to udp(37970) > From 218.211.168.178 - 1 packet to tcp(443) > From 219.79.69.210 - 1 packet to udp(37970) > From 219.153.31.186 - 1 packet to tcp(6380) > From 220.73.255.76 - 1 packet to tcp(2323) > From 220.76.41.200 - 1 packet to udp(37970) > From 220.116.149.125 - 1 packet to udp(37970) > From 220.121.97.43 - 5 packets to tcp(2289,3344,54321,60000,63390) > From 220.132.67.32 - 1 packet to tcp(88) > From 220.143.85.216 - 1 packet to tcp(4567) > From 220.184.254.9 - 1 packet to udp(37970) > From 221.139.203.175 - 2 packets to udp(37970) > From 221.150.38.118 - 1 packet to tcp(85) > From 221.188.91.131 - 6 packets to udp(37970) > From 221.190.124.130 - 1 packet to tcp(5500) > From 222.107.7.34 - 19 packets to udp(37970) > > I have two questions: > > 1. What's going on here and should I be worried? > > 2. Why is shorewall correctly blocking these packets but my BT Homehub is > not? The Homehub firewall is enabled and set to drop all unsolicited > incoming traffic.
Is UPNP enabled on your BT Homehub? If so, I would turn it off. My guess is that your BT homehub is not doing his job properly. -Matt -- Matt Darfeuille _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
