On Mon, Oct 4, 2010 at 07:28, JD <jd1...@gmail.com> wrote: > I have a router/gateway which forwards a few ports > to my machine. Port 995 is absolutely not one of them. > I checked and rechecked. > > My F13 iptables is instrumented to print a "Dropped" message > for packets that it drops. > So I was surprised to see many messages like this: > > Dropped by firewall: IN=wlan0 OUT= > MAC=aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:08:00 SRC=74.125.127.109 > DST=10.1.1.8 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=52856 PROTO=TCP SPT=995 > DPT=57892 WINDOW=0 RES=0x00 RST URGP=0 > > Port 995 is for SSL'ed pop protocol. > > I even used another machine and tried to telnet to the > router's public IP address, port 995 > > telnet my-router-public-ip-address 995 > > to see if it would forward the packet to my machine. > It did not and the firewall did not even see the packet. > > How can this happen? The packet obviously arrived from the gmail pop > server, > unless a clever hacker spoofed the source IP. > I do not understand how any server can worm a packet to my LAN address, > when the router's per-LAN-client dedicated firewalls > do not provide for forwarding this port to any machine on the LAN. > (yes - this router provides a separately configurable firewall and port > forewading table for each LAN client) - > > Is it possible that the router itself got hacked? > >
Since it's the source port that is 995 it seems google is trying to respond to your computer which started a communication with them with destination port of 995 and destination address of google.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
