Re: Help identify this firewall message
From: Bill Mullen (moon_at_lunarhub.com)
Date: Sat, 10 Apr 2004 21:00:02 GMT
On Sat, 10 Apr 2004 18:54:31 +0300, Michael Badt sputtered:
> I use Mandrake 10 community (kernel 2.6.3) with shorewall 2.0.0.b
> firewall on a stand alone PC. I'm connected to the Internet via an
> ADSL connection using rp-pppoe. The ADSL modem is connected to eth1
> (eth0 is not connected and currently not used) which is configured for
> a static 192.168.1.X IP address (255.255.255.0 mask).
> MY ISP's IP addresses are: 220.127.116.11 (P) & 18.104.22.168 (S).
Those are their DNS server addresses, I presume?
moon@tvbox:~$ host 22.214.171.124
126.96.36.199.in-addr.arpa domain name pointer ns1.actcom.net.il.
> Whenever I'm connected to the Internet (ppp0 present) my log file
> files (about every second) with the following entry:
> "Apr 10 07:04:18 localhost kernel: Shorewall:newnotsyn:DROP: IN=ppp0
> OUT= MAC= SRC=188.8.131.52 DST=184.108.40.206 LEN=52 TOS=0x00
> PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8080 DPT=33167 WINDOW=5840
> RES=0x00 ACK SYN URGP=0"
> CVAn somebody help me identufying ther source of this message and/or
> the target IP (220.127.116.11)?
Sure. Heck, you can even do it yourself ...
moon@tvbox:~$ host 18.104.22.168
22.214.171.124.in-addr.arpa domain name pointer proxy2.actcom.co.il.
The source appears to be a proxy server at your ISP, running on port
8080. The packet *appears* to be a response from this proxy server to a
connection initiated from the 126.96.36.199 address.
moon@tvbox:~$ host 188.8.131.52
Host 184.108.40.206.in-addr.arpa not found: 3(NXDOMAIN)
OK, whoever this is has no resolvable hostname. That doesn't - in and of
itself - mean a whole lot, plenty of systems aren't listed in DNS for
any number of perfectly valid reasons.
So, let's try a different tack:
moon@tvbox:~$ whois 220.127.116.11
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 18.104.22.168 - 22.214.171.124
descr: Actcom - Active Communication Ltd.
status: ASSIGNED PA
changed: email@example.com 20030821
descr: ACTCOM - Active Communications Ltd.
Haifa Tower, 63a Herzl St
changed: firstname.lastname@example.org 20020407
person: ACTCOM's Hostmaster
address: ACTCOM - Active Communication Ltd.
address: P.O.Box 5402
address: Haifa 31054
phone: +972 4 8300123
fax-no: +972 4 8676088
changed: email@example.com 20030821
Hey, whaddaya know, your ISP owns that netblock also. The question is,
why are you even seeing this packet on your wire? I'm thinking some kind
of a routing problem at your ISP is to blame here. When you run (at a
prompt) the command "/sbin/ifconfig ppp0" while connected, what do you
get in response? Are either of the IP addresses there 126.96.36.199?
-- Bill Mullen firstname.lastname@example.org MA, USA RLU #270075 MDK 8.1 & 9.0 "In communities where men build ships for their own sons to fish or fight from, quality is never a problem." -- J. A. Dever