Re: Help identify this firewall message

From: Bill Mullen (
Date: 04/10/04

Date: Sat, 10 Apr 2004 21:00:02 GMT

On Sat, 10 Apr 2004 18:54:31 +0300, Michael Badt sputtered:

> I use Mandrake 10 community (kernel 2.6.3) with shorewall 2.0.0.b
> firewall on a stand alone PC. I'm connected to the Internet via an
> ADSL connection using rp-pppoe. The ADSL modem is connected to eth1
> (eth0 is not connected and currently not used) which is configured for
> a static 192.168.1.X IP address ( mask).

> MY ISP's IP addresses are: (P) & (S).

Those are their DNS server addresses, I presume?

moon@tvbox:~$ host domain name pointer

Yup. ;)

> Whenever I'm connected to the Internet (ppp0 present) my log file
> files (about every second) with the following entry:

> "Apr 10 07:04:18 localhost kernel: Shorewall:newnotsyn:DROP: IN=ppp0
> OUT= MAC= SRC= DST= LEN=52 TOS=0x00
> PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8080 DPT=33167 WINDOW=5840
> RES=0x00 ACK SYN URGP=0"

> CVAn somebody help me identufying ther source of this message and/or
> the target IP (

Sure. Heck, you can even do it yourself ...

moon@tvbox:~$ host domain name pointer

The source appears to be a proxy server at your ISP, running on port
8080. The packet *appears* to be a response from this proxy server to a
connection initiated from the address.

moon@tvbox:~$ host
Host not found: 3(NXDOMAIN)

OK, whoever this is has no resolvable hostname. That doesn't - in and of
itself - mean a whole lot, plenty of systems aren't listed in DNS for
any number of perfectly valid reasons.

So, let's try a different tack:

moon@tvbox:~$ whois
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See

inetnum: -
descr: Actcom - Active Communication Ltd.
country: IL
admin-c: AH1743-RIPE
tech-c: AH1743-RIPE
mnt-by: MAINT-AS4148
changed: 20030821
source: RIPE

descr: ACTCOM - Active Communications Ltd.
              Haifa Tower, 63a Herzl St
              Haifa, Israel
origin: AS4148
mnt-by: MAINT-AS4148
changed: 20020407
source: RIPE

person: ACTCOM's Hostmaster
address: ACTCOM - Active Communication Ltd.
address: P.O.Box 5402
address: Haifa 31054
address: Israel
phone: +972 4 8300123
fax-no: +972 4 8676088
nic-hdl: AH1743-RIPE
changed: 20030821
source: RIPE

Hey, whaddaya know, your ISP owns that netblock also. The question is,
why are you even seeing this packet on your wire? I'm thinking some kind
of a routing problem at your ISP is to blame here. When you run (at a
prompt) the command "/sbin/ifconfig ppp0" while connected, what do you
get in response? Are either of the IP addresses there

Bill Mullen   MA, USA   RLU #270075   MDK 8.1 & 9.0
"In communities where men build ships for their own sons to fish or
fight from, quality is never a problem." -- J. A. Dever