Hiya - after having set up ipchains on a bunch of servers I'm
starting to see a load of DENY log entries - most of which appear
normal to me - although we've had a load of them over the past few
days from one particular IP address looking a bit like this:
/var/log/messages:Oct 18 14:50:54 FireWall kernel: Packet log: input
DENY ppp0 PROTO=17 the.remote.ip.address:55833
our.server.ip.address:61533 L=40 S=0x00 I=60941 F=0x4000 T=247 (#22)
Our server in this case is masquerading a private net range - so I'm
not sure if it's the remote machine, our server, or one of the
workstations on the local masqueraded network which is responsible
for causing these packets to turn up banging on our firewall and
getting rejected.
It's interesting the way the port numbers get bumped up each time,
and the pattern of traffic... I thought at first it may have
something to do with ICQ - but I did a test with our local firewall
and although the traffic looked similar I don't think the packets in
question have anything to do with ICQ.
I have put a file up at:
http://www.nitro.com.au/ipchains_log.txt
showing all the entries.
I was wondering three things:
a) can someone provide me with an explanation of what's going on here?
b) can someone elaborate or point me in the direction of some docs to
help me decode the ipchains output a bit better. I'm interested in
the stats listed after our.server.ip.address... ie. L=40 S=0x00
I=60941 F=0x4000 T=247 (#22)
c) can someone point me towards a list where it would be more
appropriate posting such discussions.
Thanks in advance for any help.
Dan.
--
Nitro - 3D Visualisation, Graphics & Animation
Ph (+61 2) 9810 5177 - Fx (+61 2) 9810 0199
http://www.nitro.com.au/
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
