Re: Strange Shorewall Log Entries
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: Strange Shorewall Log Entries

From: <@lf>
Date: Mon Apr 17 2006 - 23:38:05 CEST



jonathanve@gmail.com wrote:


> Hi all,


> 


> Today, I noticed a ton of strange entries in my shorewall log file


> (kern.log):


> 


> Apr 12 22:55:41 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT=


> MAC=00:20:ed:5c:4c:cd:00:11:50:48:e4:a0:08:00 SRC=192.168.2.1


> DST=192.168.2.2 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP


> SPT=17 DPT=35035 LEN=59


> Apr 12 22:56:06 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT=


> MAC=00:20:ed:5c:4c:cd:00:11:50:48:e4:a0:08:00 SRC=192.168.2.1


> DST=192.168.2.2 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP


> SPT=258 DPT=35038 LEN=76


> 


> There are around 2000 such entries, each having a different destination


> 


> port (larger than 35000) and most having a different source port


> (~15-400).  I don't understand why the source IP is my router.  The


> middle part of the MAC address (00:11:50:48:e4:a0) matches the internal


> 


> MAC address of my router.  What does this mean?


> 


> Also, at the very end of these lines there is:


> 


> Apr 12 22:57:39 server kernel: eth0: link down


> Apr 12 22:57:41 server kernel: eth0: link up, 100Mbps, full-duplex, lpa


> 0x45E1


> Apr 12 22:57:53 server kernel: eth0: link down


> Apr 12 22:57:55 server kernel: eth0: link up, 100Mbps, full-duplex, lpa


> 0x45E1


> 


> Are these two events related?


> 


> Any insight would be greatly appreciated! 


> 


> Thanks! 


> 


> Jonathan


> 



http://www.seifried.org/security/ports/35000/35035.html


http://www.seifried.org/security/ports/35000/35038.html


http://www.seifried.org/security/ports/0/17.html


http://www.seifried.org/security/ports/0/258.html


http://www.auditmypc.com/port/udp-port-17.asp


http://www.auditmypc.com/port/udp-port-258.asp



You can find much more at www.google.com



If 192.168.2.1 is your gateway and 192.168.2.2 is your computer, then 


this is communication from internet to you.


Are UDP ports 350** forwarded, if so do you really need it, if no close 


them. If you use Windows ME or XP and if your router supports UPnP 


services, are they enabled, if so router may automatically forward ports.



About MAC:



http://en.wikipedia.org/wiki/Network_address_translation


Received on Mon May  1 01:07:53 2006