Bizarre firewall entries

From:
Date: 08/05/02 

Date: Mon, 05 Aug 2002 02:23:20 -0000

A few days ago I noticed some very bizarre log entries in my firewall.
First of all a little background.

I am running a Slackware 8.0, 2.2.19 kernel dedicated firewall connected
to dsl full time. There are absolutely no services running on this box.
It acts strictly as a firewall/router. I have set up very strong
ipchains rules (I know that I should upgrade to iptables -- this will
be complete in another day or two) based on TrinityOS recommendations.
The machine is programmed to send reports to me each day at midnight.

The first sign of something screwy was when the fw stopped mailing
reports to me. (Using Sendmail 8.11.4 but not in daemon mode). The box
is able to mail to me in dotted quad format but not as host name. I
looked into things a little bit and noticed that mail is being blocked
going out on ppp0 to 10.10.10.10:25. I know that this is a reserved
class A address, but we are set up to use class C (fw is 192.168.0.1,
other boxes as 0.2, 0.3 0.4 and 0.6). If it means anything, I have one
other Slackware 8.0 box set up and a W95 and a W98 box. 0.6 is being
set up as a minimal distribution with Slack 8.0, kernel 2.4.18 and
some services. When it is ready, it will go up with very strong rules.

I had gone away for 5 days on vacation and left the firewall and my
linux boxes running during that time. During that time, the power
flipped 2 times on Sunday afternoon, close to each other. Everything
still worked fine after that. Then on Tuesday evening, the dsl went
down from the ISP -- I presume this happens to everyone on dynamic
dsl -- at about 11:00pm and did not get restored until 12:10 am. The
mail that was in the mail queue ended up being delivered fine, but
since that time, mail is not able to be delivered by hostname.

My first thought, being paranoid, was that someone had got through my
fw. I did not find anything out of the ordinary, though I am not real
experienced in what to look for. Netstat still does not show any open
ports. An NMap scan from my computer also shows nothing (scan of all
65535 ports). When I first put the box up I did a listing of the suid
files as per TrinityOS and this still checks out fine on a comparison
of the original. The date stamps on these files also check out okay.

Below is a sample of the class A output reject entries from this morning.
What has me really bothered is the udp packets to port 138 and to port
80 tcp.

Obviously, something is screwy. I am really baffled as to what has
happened. I do not believe that I have been compromised, but these
entries are making me wonder.

To add fuel to the fire, the 0.6 box was being set up to filter mail
and deposit the non-spam and non-virus mail into pop3 mailboxes. This
box, with Sendmail 8.12.4 is also not able to deliver mail locally,
but could mail out to my ISP's mail server. My box that I am using now,
had 3 missing libraries necessary to run KDE that were lost before I
went on holidays. I replaced the files from Slackware CD and today they
are missing again.

My apologies for the long post and I hope that this is the correct forum
to ask for help to solve this issue. Does anyone have any ideas on what
to look for to determine what has happened?

Aug 4 00:00:04 nimrod kernel: Packet log: output REJECT ppp0 PROTO=6
216.8.133.159:4947 10.10.10.10:25 L=60 S=0x00 I=4529 F=0x0000 T=64
SYN (#22)
Aug 4 00:10:02 nimrod kernel: Packet log: output REJECT ppp0 PROTO=17
216.8.133.159:64960 10.10.10.10:138 L=205 S=0x00 I=29217 F=0x0000 T=127
(#22)
Aug 4 12:46:46 nimrod kernel: Packet log: output REJECT ppp0 PROTO=6
216.8.133.159:61999 10.10.10.10:80 L=48 S=0x00 I=35656 F=0x4000 T=127
SYN (#22)

TIA,
Dan

                                   | |
                                   \___/
********************************* |
* Registered Linux user: 244008 * -+-
* * |
* Powered by Slackware 8.0 * |
********************************* -----

One dark night, in the middle of the day,
Two dead men got up to fight.
They drew their swords, and shot each other.
The deaf policeman heard the noise.
If you don't believe this lie is true,
Ask the blind man, he saw it too.

                        Author Unknown

Relevant Pages

  • Re: Norton Personal Firewall 2003
    ... The "alerter" shows that it has blocked unused ports: ... >> realize this is going to be a bit tedious, given the firewall event log ... >> display available in NPF 2003. ... > and i doesn't create any entries while the scan is done. ...
    (comp.security.firewalls)
  • Re: Norton Personal Firewall 2003
    ... But only on the ports mentioned above.Not on the ... >> grc.com they write that alarms can go on in your firewall with entried ... >> and i doesn't create any entries while the scan is done. ... Try uninstalling the program and then running the scan. ...
    (comp.security.firewalls)
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: iptables configuration
    ... >> that if a 'virus/trojan' initiated a connection to the net, the firewall ... >> would not protect the LAN. ... The LAN is NATed with private IPs to one public IP. ... the ports that are used by services running on linux. ...
    (comp.os.linux.security)
  • Re: Norton Personal Firewall 2003
    ... |> First thing I would do is put the GRC test site into the Exclusions ... | ports they will not get the same result being in my blocklist, ... the firewall checks unsolicited inbound communications attempts. ...
    (comp.security.firewalls)