Re: Firewall hits passing through a NAT router - How does that work?
From: Llanzlan Klazmon (Klazmon_at_llurdiaxorb.govt)
Date: 04/28/05
- Previous message: Bev A. Kupf: "Re: sendmail compromised - Somebody help me!"
- In reply to: Robert Glueck: "Firewall hits passing through a NAT router - How does that work?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 Apr 2005 14:23:41 +1200
Robert Glueck <rglk@web.de> wrote in
news:t6KdnRERLNDzI_PfRVn-1w@rcn.net:
> I'm running the Firestarter v.0.92 firewall, installed with default
> settings (all traffic from the Internet denied unless it's a response
> to traffic initiated by my machine) on my desktop machine which runs
> Xandros 2.0.1 and is connected to the Internet via a NAT router and a
> cable modem broadband connection. When I scan my machine using the
> port scanning services offered by Sygate, GRC, PCFlank etc., all ports
> scanned are diagnosed as stealthed. No surprise, as it is the router
> that's being scanned, I assume. I also assume that no connect attempt
> from the Internet that's not in response to a connect initiated by
> myself should pass through the router.
>
> Yet, I sometimes get firewall hits, occasionally lots of them (dozens
> in a session) that are recorded by Firestarter as dropped packets.
> They consistently come from a small number of domains, in particular
> reverse.theplanet.com (quite a few different specific IP addresses in
> that domain, e.g. 70.85.109.180, 70.85.15.34, 70.85.14.242,
> 70.84.68.196), reverse.coreix.net (e.g. 83.142.30.80) and
> dd8316.kasserver.com (a German "customer administration system"). The
> ports that are hit are in the high range, e.g. 45321-45445, 33277 and
> higher, 38600-38800, etc.
>
> Typical log entries in the /var/log/messages file of Xandros (a
> Debian-based distro) look like this:
>
> Apr 20 16:46:50 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
> SRC=70.85.109.180 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=51
> ID=0 DF PROTO=TCP SPT=80 DPT=33821 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
> Apr 20 18:54:14 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
> SRC=83.142.30.80 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=0
> DF PROTO=TCP SPT=80 DPT=33903 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
Those appear to be http servers that are responding to a SYN request
from your machine. If you accesed these sites from a browser but then
closed the browser before the response came back you would get this sort
of thing happening.
> Two questions:
>
> 1. How is it possible that an unauthorized connect attempt from these
> sources can penetrate through the NAT router to be recorded by my
> firewall? As an aside, one of the security scanners available on the
> web that I used to have my machine scanned (I don't remember which)
> was actually able to determine the correct local (LAN) address of my
> machine, behind the router. How is that possible?
A connect attempt would be a SYN packet. These appear to be
acknowlegments of SYN packets sent by your machine.
K.
>
> 2. Who are these folks at reverse.theplanet.com, reverse.coreix.net
> and kasserver.com, and what are they up to?
>
> Many thanks for your help.
>
> Robert
>
- Previous message: Bev A. Kupf: "Re: sendmail compromised - Somebody help me!"
- In reply to: Robert Glueck: "Firewall hits passing through a NAT router - How does that work?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
