Re: Help identify this firewall message
From: Bill Mullen (moon_at_lunarhub.com)
Date: 04/10/04
- Next message: Kierkecaat: "Re: Zonealarm blocking Outlook"
- Previous message: optikl: "Re: Zonealarm blocking Outlook"
- In reply to: Michael Badt: "Help identify this firewall message"
- Next in thread: Micheal Robert Zium: "Re: Help identify this firewall message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 10 Apr 2004 21:00:02 GMT
On Sat, 10 Apr 2004 18:54:31 +0300, Michael Badt sputtered:
> I use Mandrake 10 community (kernel 2.6.3) with shorewall 2.0.0.b
> firewall on a stand alone PC. I'm connected to the Internet via an
> ADSL connection using rp-pppoe. The ADSL modem is connected to eth1
> (eth0 is not connected and currently not used) which is configured for
> a static 192.168.1.X IP address (255.255.255.0 mask).
> MY ISP's IP addresses are: 192.114.47.4 (P) & 192.117.47.52 (S).
Those are their DNS server addresses, I presume?
moon@tvbox:~$ host 192.114.47.4
4.47.114.192.in-addr.arpa domain name pointer ns1.actcom.net.il.
Yup. ;)
> Whenever I'm connected to the Internet (ppp0 present) my log file
> files (about every second) with the following entry:
> "Apr 10 07:04:18 localhost kernel: Shorewall:newnotsyn:DROP: IN=ppp0
> OUT= MAC= SRC=192.114.47.51 DST=192.115.16.120 LEN=52 TOS=0x00
> PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8080 DPT=33167 WINDOW=5840
> RES=0x00 ACK SYN URGP=0"
> CVAn somebody help me identufying ther source of this message and/or
> the target IP (192.115.16.120)?
Sure. Heck, you can even do it yourself ...
moon@tvbox:~$ host 192.114.47.51
51.47.114.192.in-addr.arpa domain name pointer proxy2.actcom.co.il.
The source appears to be a proxy server at your ISP, running on port
8080. The packet *appears* to be a response from this proxy server to a
connection initiated from the 192.155.16.120 address.
moon@tvbox:~$ host 192.115.16.120
Host 120.16.115.192.in-addr.arpa not found: 3(NXDOMAIN)
OK, whoever this is has no resolvable hostname. That doesn't - in and of
itself - mean a whole lot, plenty of systems aren't listed in DNS for
any number of perfectly valid reasons.
So, let's try a different tack:
moon@tvbox:~$ whois 192.115.16.120
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 192.115.16.0 - 192.115.31.255
netname: ACTCOM-NET-BLOCK3
descr: Actcom - Active Communication Ltd.
country: IL
admin-c: AH1743-RIPE
tech-c: AH1743-RIPE
status: ASSIGNED PA
mnt-by: MAINT-AS4148
changed: genah@actcom.co.il 20030821
source: RIPE
route: 192.115.16.0/20
descr: ACTCOM - Active Communications Ltd.
Haifa Tower, 63a Herzl St
Haifa, Israel
origin: AS4148
mnt-by: MAINT-AS4148
changed: vects@actcom.net.il 20020407
source: RIPE
person: ACTCOM's Hostmaster
address: ACTCOM - Active Communication Ltd.
address: P.O.Box 5402
address: Haifa 31054
address: Israel
phone: +972 4 8300123
fax-no: +972 4 8676088
e-mail: domain@actcom.co.il
nic-hdl: AH1743-RIPE
changed: genah@actcom.net.il 20030821
source: RIPE
Hey, whaddaya know, your ISP owns that netblock also. The question is,
why are you even seeing this packet on your wire? I'm thinking some kind
of a routing problem at your ISP is to blame here. When you run (at a
prompt) the command "/sbin/ifconfig ppp0" while connected, what do you
get in response? Are either of the IP addresses there 192.115.16.120?
-- Bill Mullen moon@lunarhub.com MA, USA RLU #270075 MDK 8.1 & 9.0 "In communities where men build ships for their own sons to fish or fight from, quality is never a problem." -- J. A. Dever
- Next message: Kierkecaat: "Re: Zonealarm blocking Outlook"
- Previous message: optikl: "Re: Zonealarm blocking Outlook"
- In reply to: Michael Badt: "Help identify this firewall message"
- Next in thread: Micheal Robert Zium: "Re: Help identify this firewall message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
