Re: Firewall hits passing through a NAT router - How does that work?
From: Rincewind (rinso_at_unseen.edu)
Date: Tue, 26 Apr 2005 22:59:24 GMT
On Tue, 26 Apr 2005 18:23:11 -0400, Robert Glueck mumbled something like
> I'm running the Firestarter v.0.92 firewall, installed with default
> settings (all traffic from the Internet denied unless it's a response to
> traffic initiated by my machine) on my desktop machine which runs Xandros
> 2.0.1 and is connected to the Internet via a NAT router and a cable modem
> broadband connection. When I scan my machine using the port scanning
> services offered by Sygate, GRC, PCFlank etc., all ports scanned are
> diagnosed as stealthed. No surprise, as it is the router that's being
> scanned, I assume. I also assume that no connect attempt from the
> Internet that's not in response to a connect initiated by myself should
> pass through the router.
> Yet, I sometimes get firewall hits, occasionally lots of them (dozens in a
> session) that are recorded by Firestarter as dropped packets. They
> consistently come from a small number of domains, in particular
> reverse.theplanet.com (quite a few different specific IP addresses in that
> domain, e.g. 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206),
> reverse.coreix.net (e.g. 220.127.116.11) and dd8316.kasserver.com (a German
> "customer administration system"). The ports that are hit are in the high
> range, e.g. 45321-45445, 33277 and higher, 38600-38800, etc.
> Typical log entries in the /var/log/messages file of Xandros (a
> Debian-based distro) look like this:
> Apr 20 16:46:50 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
> SRC=18.104.22.168 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF
> PROTO=TCP SPT=80 DPT=33821 WINDOW=5840 RES=0x00 ACK SYN URGP=0
> Apr 20 18:54:14 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
> SRC=22.214.171.124 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF
> PROTO=TCP SPT=80 DPT=33903 WINDOW=5840 RES=0x00 ACK SYN URGP=0
> Two questions:
> 1. How is it possible that an unauthorized connect attempt from these
> sources can penetrate through the NAT router to be recorded by my
> firewall? As an aside, one of the security scanners available on the web
> that I used to have my machine scanned (I don't remember which) was
> actually able to determine the correct local (LAN) address of my machine,
> behind the router. How is that possible?
> 2. Who are these folks at reverse.theplanet.com, reverse.coreix.net and
> kasserver.com, and what are they up to?
> Many thanks for your help.
The above are responses from a web server(SPT=80). You sometimes get this
behaviour when the web server is so slow to respond that the connection is
timed out by your browsing machine, but the router still remembers the
connection and passes it through. I see this frequently with one of the
news servers I use.
-- Rinso /\ / \ /wizz\ ~~~~~~~~~~~~