On Thu, Aug 7, 2014, at 16:23, Tom Eastep wrote: > On 8/7/2014 2:28 PM, merc1...@f-m.fm wrote: > > > > On Thu, Aug 7, 2014, at 13:27, Tom Eastep wrote: > >> Once you stopped the daemons, the worrying messages also stopped? > > > > Stopped the daemons this morning ~9, and just noticed these, for the > > first time ever... my username: > > > > [63829.975476] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=64.250.229.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53631 DF > > PROTO=TCP SPT=59744 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 > > GID=1000 > > [63832.985253] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=64.250.229.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20905 DF > > PROTO=TCP SPT=59746 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 > > GID=1000 > > [63838.990204] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=64.250.229.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56816 DF > > PROTO=TCP SPT=59752 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 > > GID=1000 > > [69807.263497] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59773 DF PROTO=TCP > > SPT=54500 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 > > [69810.274781] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=19387 DF PROTO=TCP > > SPT=54503 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 > > [69816.279796] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=19284 DF PROTO=TCP > > SPT=54508 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 > > [69830.972496] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=64.236.96.53 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34434 DF PROTO=TCP > > SPT=47805 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 > > [69833.982281] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=64.236.96.53 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=19053 DF PROTO=TCP > > SPT=47808 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 > > [69839.987629] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=64.236.96.53 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25925 DF PROTO=TCP > > SPT=47813 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 > > [69853.600541] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=64.147.116.229 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38875 DF > > PROTO=TCP SPT=58042 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 > > GID=1000 > > [69856.595874] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=64.147.116.229 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=51025 DF > > PROTO=TCP SPT=58045 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 > > GID=1000 > > [69862.600710] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=64.147.116.229 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60537 DF > > PROTO=TCP SPT=58055 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 > > GID=1000 > > [69875.925262] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2649 DF PROTO=TCP > > SPT=54562 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 > > [69878.926688] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9464 DF PROTO=TCP > > SPT=54565 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 > > [69884.932444] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.111.1 > > DST=216.229.0.179 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61431 DF PROTO=TCP > > SPT=54570 DPT=13 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 > > > > To get an immediate indication when a connection is being made, you can > install the 'conntrack' package, then run: > > conntrack -E -p tcp --dport 13
The basic problem is I can never predict which port it's going to try next. Shorewall can only tell me the UID not the PID so I can't track this down. I can't believe that no one's ever thought of these things before. -- http://www.fastmail.fm - Accessible with your email software or over the web ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
