Hi Am 23.03.2020 um 13:56 schrieb Vieri Di Paola: > On Mon, Mar 23, 2020 at 12:45 PM Matt Darfeuille <m...@shorewall.org> wrote: >> >> On 3/23/2020 11:40 AM, Vieri Di Paola wrote: >>> Hi, >>> >>> I set up my Shorewall gateway with the following logic: >>> - accept incoming connections for ports tcp 443, 80, and several others. >>> - all other connection attempts to other ports are dropped and the >>> source IP address is included in an ipset blacklist so subsequent >>> connection attempts even to "legit" open ports are dropped for x >>> amount of time. >>> >>> In general, this works fine. >>> >>> However, once in a while I get what seem to be false positives. >>> >>> For instance a known user usually connects fine to port 443 with an >>> external IP address (1.2.3.4). Somehow, at some point Shorewall >>> reports the following line in the log: >>> >>> IN=ppp3 OUT= MAC= SRC=1.2.3.4 DST=4.3.2.1 LEN=72 TOS=0x00 PREC=0x00 >>> TTL=48 ID=46761 DF PROTO=UDP SPT=41152 DPT=58129 LEN=52 MARK=0x3 >>> ...
> > >>> The user has no idea what this UDP connection is for, and I haven't >>> found any program using this port (58129 is supposed to be in the >>> dynamic range). >> You could set up a honeypot if it is always the same port or the same host. cheers ET
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
