Re: strange masq packets

Cedar Cox Sun, 18 Nov 2001 23:48:38 -0800


On Sun, 18 Nov 2001, guy keren wrote:
> 
> On Sun, 18 Nov 2001, Cedar Cox wrote:
> 
> > Unusual System Events
> > =-=-=-=-=-=-=-=-=-=-=
> > Nov 17 22:36:53 bibi kernel: Packet log: output DENY ppp0 PROTO=6 
>192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=3796 F=0x0000 T=255 (#2)
> > Nov 17 22:36:58 bibi kernel: Packet log: output DENY ppp0 PROTO=6 
>192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=3844 F=0x0000 T=255 (#2)
> > Nov 17 22:37:10 bibi kernel: Packet log: output DENY ppp0 PROTO=6 
>192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=3983 F=0x0000 T=255 (#2)
> > Nov 17 22:37:32 bibi kernel: Packet log: output DENY ppp0 PROTO=6 
>192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=4063 F=0x0000 T=255 (#2)
> > Nov 17 22:38:18 bibi kernel: Packet log: output DENY ppp0 PROTO=6 
>192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=4071 F=0x0000 T=255 (#2)
> > Nov 17 22:40:38 bibi kernel: Packet log: output DENY ppp0 PROTO=6 
>192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4317 F=0x0000 T=255 (#2)
> > Nov 17 22:40:49 bibi kernel: Packet log:output DENY ppp0 PROTO=6 
>192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4449 F=0x0000 T=255 (#2)
> > Nov 17 22:41:12 bibi kernel: Packet log: output DENY ppp0 PROTO=6 
>192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4477 F=0x0000 T=255 (#2)
> > Nov17 22:41:58 bibi kernel: Packet log: output DENY ppp0 PROTO=6
> >    192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4495 F=0x0000
> >    T=255 (#2)
> >
> > Correct me if I'm wrong but it just looks like a internal (masq'ed) host
> > tried to contact the 172.26 network. We do not use this network so it was
> > sent to the default route but blocked on the way out (..just a safety so
> > no private traffic gets sent out the ppp0 interface).
> 
> how do you know its a masqued ohst, and not your linux gateway that's
> emitting the traffic?


Because, (I think) outgoing ports 61000-65096 are only used for
masquarding and nothing else (someone please correct me if I am wrong).

> in any case, you could put a logging rule on the 'input' chain (or
> 'forward' chain) that logs any packet sent to 172.26.140.7:9044 using
> 'tcp', and see there where it comes from. assuming this still occures.
> 
> --
> guy

Right.  I think this is the only way to get what I want.  I just didn't
know if there was some special logging for masquarding that I don't know
about.  Thanks to everyone that answered :)

-Cedar


=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: strange masq packets

Reply via email to