On Sun, Dec 31, 2000 at 05:25:54PM -0600, Richard Cobbe wrote: > JD Kitch <[EMAIL PROTECTED]> wrote: > > Can anyone tell me what this person is looking for here, and how I > > can find out where this is coming from? > > > > Security Violations > > =-=-=-=-=-=-=-=-=-= > > Dec 31 11:06:47 tower kernel: Packet log: output REJECT eth0 PROTO=17 > > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7632 F=0x0000 T=127 > > (#43) > > Dec 31 11:06:53 tower kernel: Packet log: output REJECT eth0 PROTO=17 > > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7712 F=0x0000 T=127 > > (#43) > > Dec 31 11:06:59 tower kernel: Packet log: output REJECT eth0 PROTO=17 > > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7713 F=0x0000 T=127 > > (#43) > > Dec 31 11:07:06 tower kernel: Packet log: output REJECT eth0 PROTO=17 > > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7716 F=0x0000 T=127 > > (#43) > > Dec 31 11:07:13 tower kernel: Packet log: output REJECT eth0 PROTO=17 > > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7724 F=0x0000 T=127 > > (#43) > > Dec 31 11:07:19 tower kernel: Packet log: output REJECT eth0 PROTO=17 > > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7725 F=0x0000 T=127 > > (#43) > > You're not getting scanned, JD. You're actually trying to *send* a packet > to 172.16.72.113, port 161/udp (SNMP), from IP xx.xx.xx.xx, port 61662/udp. > Your firewall rules don't allow this traffic to leave your machine. (If > xx.xx.xx.xx isn't your IP, then you're forwarding it instead---I think. I > can't check that, since I've only got the one machine.)
> Also, I *think* I've figured out what the (#43) means. I'm fairly, but not > completely, certain that this is the index number of the ruleset in the > named chain (here, output) which caused the packet to be blocked. This may > be helpful in rewriting your firewall rules. (I do wish that ipchain's log > output format was documented better.) i've got something quite similar to this, but mine's on INPUT-- Jan 2 01:18:48 server kernel: Packet log: input DENY eth0 PROTO=1 172.156.51.114:10 224.0.0.2:0 L=28 S=0x00 I=8964 F=0x0000 T=128 (#9) Jan 2 01:18:51 server kernel: Packet log: input DENY eth0 PROTO=1 172.156.51.114:10 224.0.0.2:0 L=28 S=0x00 I=9220 F=0x0000 T=128 (#9) Jan 2 01:20:07 server kernel: Packet log: input DENY eth0 PROTO=1 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=33028 F=0x0000 T=128 (#9) Jan 2 01:20:10 server kernel: Packet log: input DENY eth0 PROTO=1 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=34308 F=0x0000 T=128 (#9) Jan 2 01:20:13 server kernel: Packet log: input DENY eth0 PROTO=1 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=34564 F=0x0000 T=128 (#9) using the "#9 = number within ruleset" theory, and with ruleset as follows: # ipchains -nL Chain input (policy DENY): target prot opt source destination ports ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a ACCEPT all ------ 192.168.0.0/24 0.0.0.0/0 n/a ACCEPT all ------ 192.168.1.0/24 0.0.0.0/0 n/a DENY all ----l- 192.168.1.0/24 0.0.0.0/0 n/a DENY all ----l- 192.168.1.0/24 0.0.0.0/0 n/a ACCEPT all ------ 0.0.0.0/0 208.33.90.85 n/a ACCEPT all ------ 0.0.0.0/0 208.33.90.255 n/a DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a then it seems to be the final (default) ruleset that's doing the logging. but where's this request coming FROM? from what i gather, the 172.*.*.* is a private net block, and 224.*.*.* is a broadcast net block... my intranet has two macs and even a skanky ol' windo~1 box attached to the masquerading debian server. what's up with this? -- See, if you were allowed to keep the money, you wouldn't create jobs with it. You'd throw it in the bushes or something. But the government will spend it, thereby creating jobs. -- Dave Barry [EMAIL PROTECTED] *** http://www.dontUthink.com/ volunteer to document your experience for next week's newbies -- http://www.eGroups.com/messages/newbieDoc
