Board index Linux Security

Question about SuSE firewall behavior

Question about SuSE firewall behavior

Post by Chuck Lall » Thu, 31 May 2001 21:30:11



I am running SuSE firewall and am getting the following messages repeated
several times in /var/log/messages.  I don't know what it means and if I
have something misconfigured.  

Packet log Packet log: input DENY eth0 PROTO=17 xxx.xxx.xxx.xxx:138
xxx.xxx.xxx.255:138 L=234 S=0x00 I=0 F=0x4000 T=64 (#2)
  Where xxx.xxx.xxx.xxx is my static IP address using SDSL.

What does this mean ?  Am I denying something from within my own network ?

Thanks,

Chuck

 
 
 
Top

Question about SuSE firewall behavior

Post by nord » Fri, 01 Jun 2001 00:10:50



> I am running SuSE firewall and am getting the following messages repeated
> several times in /var/log/messages.  I don't know what it means and if I
> have something misconfigured.

> Packet log Packet log: input DENY

You ignore the following incoming packet...

Quote:> eth0

... on your first ethernet card

Quote:> PROTO=17

a UDP packet (see /etc/protocols)

Quote:> xxx.xxx.xxx.xxx:138

from your system's port 138

Quote:> xxx.xxx.xxx.255:138 L=234 S=0x00 I=0 F=0x4000 T=64 (#2)

to your subnet's broadcast address on port 138 , which is netbios (see
/etc/services)
T=64 means time to live is 64 (guess), looks like the packet really is from
your host.

Quote:> What does this mean ?  Am I denying something from within my own network ?

Looks like it. If you need it, tell your firewall to let it through. If you
don't, find out what demon is sending out broadcast packets and deinstall
it.

nordi

--
Linux - Less bugs for less bucks!

Visit http://private.addcom.de/nordi

 
 
 
Top

Question about SuSE firewall behavior

Post by Chuck Lall » Fri, 01 Jun 2001 07:39:46


More questions:  today I found these in my /var/log/messages file

Have I been hacked ?
May 29 23:19:20 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
137.208.85.85:3640 64.81.215.242:1080 L=60 S=0x00 I=63132 F=0x4000 T=43 SYN
(#38)
May 30 04:51:06 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
148.206.65.145:16227 64.81.xxx.xxx32771 L=44 S=0x00 I=31100 F=0x0000 T=41
SYN (#38)
May 30 09:30:26 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
61.141.101.168:1261 64.81.xxx.xxx:3128 L=48 S=0x00 I=7820 F=0x4000 T=110
SYN (#38)
May 30 09:30:27 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
61.141.101.168:1261 64.81.xxx.xxx:3128 L=48 S=0x00 I=17292 F=0x4000 T=110
SYN (#38)
May 30 09:30:28 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
61.141.101.168:1261 64.81.xxx.xxx:3128 L=48 S=0x00 I=22924 F=0x4000 T=110
SYN (#38)
May 30 09:30:29 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
61.141.101.168:1261 64.81.xxx.xxx:3128 L=48 S=0x00 I=30348 F=0x4000 T=110
SYN (#38)
May 30 18:28:38 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
212.34.211.79:3263 64.81.xxx.xxx:8080 L=48 S=0x00 I=8590 F=0x4000 T=110 SYN
(#38)
May 30 18:28:40 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
212.34.211.79:3263 64.81.xxx.xxx:8080 L=48 S=0x00 I=8950 F=0x4000 T=110 SYN
(#38)


> I am running SuSE firewall and am getting the following messages repeated
> several times in /var/log/messages.  I don't know what it means and if I
> have something misconfigured.

> Packet log Packet log: input DENY eth0 PROTO=17 xxx.xxx.xxx.xxx:138
> xxx.xxx.xxx.255:138 L=234 S=0x00 I=0 F=0x4000 T=64 (#2)
>   Where xxx.xxx.xxx.xxx is my static IP address using SDSL.

> What does this mean ?  Am I denying something from within my own network ?

> Thanks,

> Chuck

 
 
 
Top

Question about SuSE firewall behavior

Post by Manfred Bart » Fri, 01 Jun 2001 09:37:36



> More questions:  today I found these in my /var/log/messages file

> Have I been hacked ?

Just going by the logs, probably not.
But you should DENY all incoming SYN packets.

If you run squid (port 3128) then that port should be protected by a
DENY rule from outside access.  Same for any other servers you might
run.  Check with ``netstat -tupan''.

Quote:> May 29 23:19:20 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
> 137.208.85.85:3640 64.81.215.242:1080 L=60 S=0x00 I=63132 F=0x4000 T=43 SYN
> (#38)
> May 30 04:51:06 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
> 148.206.65.145:16227 64.81.xxx.xxx32771 L=44 S=0x00 I=31100 F=0x0000 T=41
> SYN (#38)
> May 30 09:30:26 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
> 61.141.101.168:1261 64.81.xxx.xxx:3128 L=48 S=0x00 I=7820 F=0x4000 T=110
> SYN (#38)
> May 30 09:30:27 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
> 61.141.101.168:1261 64.81.xxx.xxx:3128 L=48 S=0x00 I=17292 F=0x4000 T=110
> SYN (#38)
> May 30 09:30:28 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
> 61.141.101.168:1261 64.81.xxx.xxx:3128 L=48 S=0x00 I=22924 F=0x4000 T=110
> SYN (#38)
> May 30 09:30:29 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
> 61.141.101.168:1261 64.81.xxx.xxx:3128 L=48 S=0x00 I=30348 F=0x4000 T=110
> SYN (#38)
> May 30 18:28:38 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
> 212.34.211.79:3263 64.81.xxx.xxx:8080 L=48 S=0x00 I=8590 F=0x4000 T=110 SYN
> (#38)
> May 30 18:28:40 linux kernel: Packet log: input ACCEPT eth0 PROTO=6
> 212.34.211.79:3263 64.81.xxx.xxx:8080 L=48 S=0x00 I=8950 F=0x4000 T=110 SYN
> (#38)

You can extract the rules you need from:
        <http://logi.cc/linux/minimalIPChainsRules.txt>

--
Manfred
----------------------------------------------------------------
NetfilterLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

 
 
 
Top

1. Fwd: SuSe 8.0 Personal Firewall questions

,--------------- Forwarded message (begin)

 Subject: SuSe 8.0 Personal Firewall questions

 Date: Tue, 11 Jun 2002 15:54:42 -0500

 I am having trouble finding out some information on the Personal
 firewall included with SuSE 8.0, which I am running.

 The docs in /usr/share/doc/packages talks about setting up runlevels
 and such to install the firewall.

 The help says to enable the firewall when you create the modem dialup.

 I don't have a modem?

 I went into YaST2 and under Security enabled the firewall.

 How can I tell if it is running?

 Also, when I look in /var/log/firewall I get all kinds of stuff like
 this:

 Jun 10 21:49:58 linux kernel: eth0: no IPv6 routers present
 Jun 10 21:51:55 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT=
 MAC=00:50:ba:5e:37:e5:00:04:5a:d8:ca:17:08:00 SRC=192.168.1.1
 DST=192.168.1.100 LEN=40 TOS=0x00 PREC=0x00 TTL=150 ID=55654 PROTO=TCP
 SPT=3185 DPT=1026 WINDOW=5840 RES=0x00 ACK RST URGP=0
 Jun 10 21:51:58 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT=
 MAC=00:50:ba:5e:37:e5:00:04:5a:d8:ca:17:08:00 SRC=192.168.1.1
 DST=192.168.1.100 LEN=40 TOS=0x00 PREC=0x00 TTL=150 ID=55655 PROTO=TCP
 SPT=3185 DPT=1026 WINDOW=5840 RES=0x00 ACK RST URGP=0

 Jun 11 08:58:25 linux kernel: Inspecting /boot/System.map-2.4.18-4GB
 Jun 11 08:58:25 linux kernel: Loaded 12771 symbols from
 /boot/System.map-2.4.18-4GB.
 Jun 11 08:58:25 linux kernel: Symbols match kernel version 2.4.18.
 Jun 11 08:58:25 linux kernel: Loaded 3599 symbols from 51 modules.
 Jun 11 10:30:05 linux kernel: ALSA
 ../../../alsa-kernel/core/seq/oss/seq_oss_init.c:212: no device found
 Jun 11 10:56:27 linux kernel: ALSA
 ../../../alsa-kernel/core/seq/oss/seq_oss_init.c:212: no device found
 Jun 11 11:25:49 linux kernel: ALSA
 ../../../alsa-kernel/core/seq/oss/seq_oss_init.c:212: no device found

 I can understand the packet stuff, but what are OSS and alsa hits
 doing in a firewall log?

 FWIW the firewall log and the system log look very similar with all
 kinds of device traffic (ie:mounting drives etc).

 What am I doing wrong here?

 Oh yea, I am on a broadband hook up if it matters.
 tia

 flatfish

`--------------- Forwarded message (end)

2. xdir statically linked

3. LINUX/shorewall firewall to firewall VPN question

4. Multi-head Q3 possible?

5. weird kdm/keyboard behavior on boot, SuSE 8.0

6. Hard Disk Size Problems...

7. Strange DNS behavior on Suse 6.2

8. HELP HELP HELP!

9. Odd CPU temperature behaviour (SuSE 9.0)

10. Strange behavior of ipchains firewall with pptp and ADSLmodem

11. Firewall+DHCP (pump) Strange DHCP behavior HELP!

12. Linux kernel firewall default behavior

13. SuSE Linux Firewall on CD


All times are UTC
Board index