Board index Linux Networking

internal masq'd clients being logged as connection attempts?

internal masq'd clients being logged as connection attempts?

Post by Constantine Karbalioti » Wed, 19 Jan 2000 04:00:00



I have a peculiar problem, and I am not sure that I have diagnosed it
correctly: syslog reports every connection made by my internally masq'd
machines to my masquerading machine as a connection attempt, such as:

tpclogd: port 3128 connection attempt from

This doesn't interfer with web browsing, etc. but it clutters the syslog
and makes scanning it difficult since I am regularly reviewing it to
scan it  for real unauthorized attempts to connect. I don't understand
why I can't make it recognize the computers on my network, as

connections are logged as connection attempts but not really blocked,
then I am doing something wrong to prohibit outside connections. I
should mention I am running squid to provide web caching to my internal
lan, which is why port 3128 is being used.

My theories as to why this is happening: (1) I don't have the right rule
for ipfwadm to permit this access explicitly; or (2) I have
misconfigured hosts, hosts.allow and hosts.deny.

(1) I am using ipfwadm for firewall rules; I have a robust rule set from
David Ranch's TrinityOS pages, but I cannot figure out how to explicitly
permit access from the internal network to squid (if that is the
problem); is this correct ($intif is the internal interface, $intip is
the internal lan ip address, $universe = 0.0.0.0)?

/sbin/ipfwadm -I -a accept -W $intif -P tcp -S $universe/0 -D $intip/32
3128
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S $universe/0 3128 -D
$intip/32

(2) My hosts file on the masquerading machine lists the loopback as
localhost, and each computer
with the internal IP address in the following form:

and hosts.allows is:
ALL: 127.0.0.1
ALL: LOCAL

Of course, hosts.deny is:
ALL: ALL
ALL: PARANOID

 
 
 
Top

internal masq'd clients being logged as connection attempts?

Post by Phil DeBecke » Wed, 19 Jan 2000 04:00:00



> I have a peculiar problem, and I am not sure that I have diagnosed it
> correctly: syslog reports every connection made by my internally masq'd
> machines to my masquerading machine as a connection attempt, such as:

> tpclogd: port 3128 connection attempt from


<snip>

Sounds like everything is working OK and you're just getting these useless
log messages.  You should be able to configure tcplogd to ignore
connections from your internal network and get rid of the messages.

This has nothing to do with ipfwadm being incorrectly configured -- the
messages are coming from tcplogd itself.  If your ipfwadm rules were wrong
then you would see errors like

firewall kernel: 00:00:00:00:  IP FW-IN DENY xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx 3128

...but that's not what is happening.  Likewise, hosts.allow and .deny have
nothing to do with this.

Read the docs on tcplogd and put an option to ignore connects from local
IPs in its configuration file and all will be well.

--
Phil DeBecker

"Quidquid latine dictum sit, altum viditur."

 
 
 
Top

internal masq'd clients being logged as connection attempts?

Post by Constantine Karbalioti » Wed, 19 Jan 2000 04:00:00


Thanks for the help; I will try that. I have run some scans on my masqueraded
box, so I didn't think things were leaking, but it is good to know that
nothing serious is happening.


> > I have a peculiar problem, and I am not sure that I have diagnosed it
> > correctly: syslog reports every connection made by my internally masq'd
> > machines to my masquerading machine as a connection attempt, such as:

> > tpclogd: port 3128 connection attempt from

> <snip>

> Sounds like everything is working OK and you're just getting these useless
> log messages.  You should be able to configure tcplogd to ignore
> connections from your internal network and get rid of the messages.

> This has nothing to do with ipfwadm being incorrectly configured -- the
> messages are coming from tcplogd itself.  If your ipfwadm rules were wrong
> then you would see errors like

> firewall kernel: 00:00:00:00:  IP FW-IN DENY xxx.xxx.xxx.xxx
> xxx.xxx.xxx.xxx 3128

> ...but that's not what is happening.  Likewise, hosts.allow and .deny have
> nothing to do with this.

> Read the docs on tcplogd and put an option to ignore connects from local
> IPs in its configuration file and all will be well.

> --
> Phil DeBecker

> "Quidquid latine dictum sit, altum viditur."

 
 
 
Top

internal masq'd clients being logged as connection attempts?

Post by Constantine Karbalioti » Fri, 21 Jan 2000 04:00:00


Well, tcplogd doesn't seem to be able to "exclude" messages from ip addresses on
the network; something more fundamental must be done. I tried to include squid as
a service with port 3128, and includes squid in the firewall rules which permits
internal machine to access the internet; this doesn't work either. When I don't
use the squid proxy, ie go direct to the internet, there is no logging of the
connection. This makes me think that the problem is still in hosts.access or
hosts; any help out there?

> Thanks for the help; I will try that. I have run some scans on my masqueraded
> box, so I didn't think things were leaking, but it is good to know that
> nothing serious is happening.



> > > I have a peculiar problem, and I am not sure that I have diagnosed it
> > > correctly: syslog reports every connection made by my internally masq'd
> > > machines to my masquerading machine as a connection attempt, such as:

> > > tpclogd: port 3128 connection attempt from

> > <snip>

> > Sounds like everything is working OK and you're just getting these useless
> > log messages.  You should be able to configure tcplogd to ignore
> > connections from your internal network and get rid of the messages.

> > This has nothing to do with ipfwadm being incorrectly configured -- the
> > messages are coming from tcplogd itself.  If your ipfwadm rules were wrong
> > then you would see errors like

> > firewall kernel: 00:00:00:00:  IP FW-IN DENY xxx.xxx.xxx.xxx
> > xxx.xxx.xxx.xxx 3128

> > ...but that's not what is happening.  Likewise, hosts.allow and .deny have
> > nothing to do with this.

> > Read the docs on tcplogd and put an option to ignore connects from local
> > IPs in its configuration file and all will be well.

> > --
> > Phil DeBecker

> > "Quidquid latine dictum sit, altum viditur."

 
 
 
Top

internal masq'd clients being logged as connection attempts?

Post by Phil DeBecke » Fri, 21 Jan 2000 04:00:00



> Well, tcplogd doesn't seem to be able to "exclude" messages from ip addresses on
> the network; something more fundamental must be done. I tried to include squid as
> a service with port 3128, and includes squid in the firewall rules which permits
> internal machine to access the internet; this doesn't work either. When I don't
> use the squid proxy, ie go direct to the internet, there is no logging of the
> connection. This makes me think that the problem is still in hosts.access or
> hosts; any help out there?

No.  The reason you don't get any logging from tcplogd when you don't use squid, is
that there isn't any TCP connection occuring to your masq box for tcplogd to
record.  What happens is that the packets go to the masq box (because the masq box
is the gateway for the internal PCs) and the forwarding / masquing component of the
firewall accepts and forwards the packet to the outside -- there is never a
TCP connection to any application running on the server.

When you run squid, the process is completely different.  Squid is a server running
on the masq box, and your internal machines connect directly to it via TCP -- those
connections are not masqueraded.  Squid then proxies the connection.  But in this
case a TCP connection does occur and therefore the connection is logged by tcplogd.

So, again:  there is nothing wrong with your hosts.allow/deny or hosts files.

I was mistaken in one way though:  I run a program called "tcplog" which allows me
to define the severity of logging for various services and allows me to configure
exception ranges of IP addresses which don't get logged at all.  Evidently tcplogd
that you're running is not the same thing.

So either run a different tcp log program or ignore the errors.  There's nothing
wrong with your setup.

Phil D.


> > Thanks for the help; I will try that. I have run some scans on my masqueraded
> > box, so I didn't think things were leaking, but it is good to know that
> > nothing serious is happening.



> > > > I have a peculiar problem, and I am not sure that I have diagnosed it
> > > > correctly: syslog reports every connection made by my internally masq'd
> > > > machines to my masquerading machine as a connection attempt, such as:

> > > > tpclogd: port 3128 connection attempt from

> > > <snip>

> > > Sounds like everything is working OK and you're just getting these useless
> > > log messages.  You should be able to configure tcplogd to ignore
> > > connections from your internal network and get rid of the messages.

> > > This has nothing to do with ipfwadm being incorrectly configured -- the
> > > messages are coming from tcplogd itself.  If your ipfwadm rules were wrong
> > > then you would see errors like

> > > firewall kernel: 00:00:00:00:  IP FW-IN DENY xxx.xxx.xxx.xxx
> > > xxx.xxx.xxx.xxx 3128

> > > ...but that's not what is happening.  Likewise, hosts.allow and .deny have
> > > nothing to do with this.

> > > Read the docs on tcplogd and put an option to ignore connects from local
> > > IPs in its configuration file and all will be well.

> > > --
> > > Phil DeBecker

> > > "Quidquid latine dictum sit, altum viditur."

--
Phil DeBecker

"Quidquid latine dictum sit, altum viditur."

 
 
 
Top

1. Internal IP Masq'd Client's Connections Fail

I have a 4 port Linksys EtherFast 100BaseTX hub with 4 computers. One with
Mandrake7, and the other 3 with Win98.

My goal is to set the Mandrake7 box as the gateway, have it ppp dialup to
net, and provide rest of network with net access using Ip Masquerading.

I've managed to set mostly everything up... and masquerading appears to
work. I can surf on the linux box. I can ping outside domains
(www.linux.com) from my internal
masq'd client, and I can start telnet/ftp/http connections on the internal
client.

However, when I tried to access a web site (on the internal client), it
started downloading some of it (about 874bytes), but then it stopped and
caused a connection timeout. I kept getting less data the more I tried to
get the website, but I'll beable to get about 800bytes again If I restart
the computers or wait a while... Then I tried to anonymous ftp into redhat's
ftp site and I was able to login but the connection froze once again while
recieving the MOTD.

I've searched through the HOWTO and the NHF and have not seen a problem like
this mentioned. I am still not sure if this problem is caused by the windows
computer or the linux computer. I am thinking its more likely a problem on
the linux side. Any help would be extremely appreciated.

Thankyou,
        daemious

2. case insensitive tab completion in bash?

3. Internal masq computers can't keep a connection up.

4. send mmap timed out on Solaris 2.4

5. port forwarding with IPVSADM: help getting to internal masq'd clients

6. what harddrive controller should I get?

7. IP Masq/IP Chains Question (forwarding smtp to 'internal' mail server...)

8. using xawtv without XF86Config

9. attempting to use the router 'fonera' in client mode

10. Connection attempt not logged by ipfw

11. Logging connection attempts with IPFW

12. Logging bad connection attempts...

13. Logging connection attempts to a file ?


All times are UTC
Board index