[Full-Disclosure] RE: Reverse http traffic

From: Daniel H. Renner (dan_at_losangelescomputerhelp.com)
Date: 12/31/03

  • Next message: tlarholm_at_pivx.com: "[Full-Disclosure] FW: IE 5.22 on Mac Transmitting HTTP Referer from Secure Page"
    To: James C Slora Jr <Jim.Slora@phra.com>
    Date: 30 Dec 2003 15:09:29 -0800

    Thank you for your reply James - I've put my answers below yours:

    On Tue, 2003-12-30 at 14:18, James C Slora Jr wrote:
    > Daniel H. Renner wrote Tuesday, December 30, 2003 15:33
    > > I had a case recently wherein one of a client's systems
    > > (Win2k) could not access http, or mail traffic. At the same time, 2 other
    > systems
    > > (Win95 and Xandros) could, and yet he could access all of the
    > > other network shares via TCP.
    > <snip>
    > > I then installed a Linux firewall on a spare computer,
    > > replaced the Linksys router with it and instantly his Win2k
    > > was able to browse and get email.
    > This sounds like it was a config problem on the Linksys router - dmz setup
    > or port forwarding or something.

    Could have been, but it was set for DHCP, and any other computer on the
    LAN had no problem, and there was no dmz or port-forwarding setup in the

    > > I checked the firewall logs and saw quite a few attempts from
    > > a Google IP address (whois-ed, but I'm not ignoring that it
    > > was possibly spoofed) that was sending IN traffic with a
    > > source port of 80 and a destination port in the temporary
    > > range (33xx) - eh???
    > Which firewall logs and what time frame? The Linksys before the switchout,
    > the Linux-based firewall after the switchout, or something else?

    My appologies, since I never considered the Linksys/DLink/etc. routers
    to be firewalls I've not addressed them as such - but I see others do
    (remind self that other's terminologies must be used when talking to
    them... :)

    The firewall in question is an IPCop machine (this is a fork of the
    Smoothwall firewall project - www.ipcop.org) with no DHCP server,
    port-forwarding or HTTP proxy running - just a plain brown box... The
    incomings I saw were within approx. a 1-minute timeframe.

    > A lot of things could cause incoming 80 -> 33xx traffic, most of them
    > benign. Do you have any packet captures with flags and ACKs, etc? Were the
    > mystery packets directed to the problem machine or to the router address?
    > Can you give more details about which machines have private addresses and
    > which have public Internet addresses? Was the Linksys firmware up to rev?

    Unfortunately I am still enough of a Linux newbie that I have not
    figured out how to add a sniffer into IPCop (I could install ntop
    though...) but according to the firewall logs the traffic was pointed to
    the external NIC on the IPCop computer specifically which is the only
    public IP address on the LAN. All others are behind the IPCop's
    internal/private IP addressed NIC, and there is no DMZ NIC on the
    system, nor is it setup software-wise for one at the moment.

    Also, all 6 updates of IPCop had been performed on the machine before

    If what could cause this sort of traffic is "mostly benign" then I'll
    have my goose-pimples set to "chill" - if not, then I'm still in "Eh?"

    Thank you,
    Dan Renner
    Los Angeles Computerhelp
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: tlarholm_at_pivx.com: "[Full-Disclosure] FW: IE 5.22 on Mac Transmitting HTTP Referer from Secure Page"

    Relevant Pages

    • Re: Router/Firewall Recommendation
      ... >> standalone router for my broadband connection. ... >> firewall behind my router. ... The Linksys router simply routes, ... This really does depend on the nature of the broadband connection, ...
    • Re: Outlook 2003 blocks outgoing e-mail messages that are medium to la
      ... Most likely it is a Linksys router problem. ... firewalls and connect directly to your ISP's Cable/DSL modem and try sending ... and my Norton Personal Firewall and Windows internal ...
    • Re: Zyxel router for Inspiron 1505?
      ... supercede the default firewall settings. ... names and include technical support (the others ... Someone suggested a Zyxel Extreme-MIMO X550 router. ... Linksys or D-Link. ...
    • Re: Using IPCop 1.3 & Linksys Cable/DSL router
      ... || I'm trying to use my Linksys router & and an old pc running IPcop 1.3 ... || as a firewall to protect my intranet. ... || Do I need some settings here? ...
    • Re: Zone Alarm & Wireless LANs
      ... > all firewall software interferes with LANs and especially wireless ... > (Linksys claims the firewall is built into the router already). ... The whole thing with Linksys Tech Support is BS. ...