Re: [SLE] Firewall interpretation request

From: Bruce Marshall (bmarsh_at_bmarsh.com)
Date: 08/01/03

  • Next message: Donn aka n5xwb Washburn: "[SLE] ? Grub" 
    To: SLE <suse-linux-e@suse.com>
Date: Thu, 31 Jul 2003 22:20:51 -0400

    On Thursday 31 July 2003 22:08 pm, John wrote:
    > Hiya gang,
    >
    > I happened to notice last night that my RD light on my modem was
    > goin' ape-crazy, and my TD was only once in a while (maybe every 3 or
    > 4 seconds) blinking, so I knew not much was going 'out'. I couldn't
    > for the life of me remember where to look at logs for the firewall,
    > until just now. This is a sample of what I found:
    >
    > Jul 29 19:44:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC=
    > SRC=204.1.226.229 DST=(correct local address) LEN=40 TOS=0x00
    > PREC=0x00 TTL=112 ID=32768 PROTO=TCP SPT=65143 DPT=1054 WINDOW=8192
    > RES=0x00 SYN URGP=0
    >
    > Okay, I checked and the SRC was *not* my ISP's remote address, the
    > DST was correct though as *my* assigned address at the time (dial-up
    > modem). I counted 'one second' of these, and had 65 instances within
    > one second. The *only* thing changing at each instance during the one
    > second, was the DPT , which seemed to start at 1024 and go up to 1054,
    > then start at 1024 all over again.
    > So, what I'd like to ask of anyone who knows is...
    > Starting with 'LEN' and going to 'URGP', what do each of those
    > things mean (I think I understand the 'PROTO', heh)?
    > I tried looking some of them up, but wasn't getting anything clear
    > enough for an 'idiot' to understand.
    > Why would only the 'DPT' change, and why only that range?
    > Is/was this a DDoS? It sure didn't bother me any, since I could
    > start a download or surf the web without any noticeable slowdown. Does
    > this mean that SuSEFirewall2 was doing its job well? (I'm leaning
    > strongly toward 'it did a fantastic job')
    >
    > Thanks if anyone finds these questions worth any answers. The
    > curiosity is killin' me. lol
    >
    > John
    > --

    linux1:/var/log # whois 204.1.226.229

    OrgName: Verio, Inc.
    OrgID: VRIO
    Address: 8005 South Chester Street
    Address: Suite 200
    City: Englewood
    StateProv: CO
    PostalCode: 80112
    Country: US

    ReferralServer: rwhois://rwhois.verio.net:4321/

    NetRange: 204.0.0.0 - 204.3.255.255
    CIDR: 204.0.0.0/14
    NetName: VRIO-204-000
    NetHandle: NET-204-0-0-0-1
    Parent: NET-204-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS0.VERIO.NET
    NameServer: NS1.VERIO.NET
    NameServer: NS2.VERIO.NET
    NameServer: NS3.VERIO.NET
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    Comment:
    Comment: ********************************************
    Comment: Reassignment information for this block is
    Comment: available at rwhois.verio.net port 4321
    Comment: ********************************************
    RegDate: 2000-07-26
    Updated: 2003-07-10

    TechHandle: VIA4-ORG-ARIN
    TechName: Verio, Inc.
    TechPhone: +1-303-645-1900
    TechEmail: vipar@verio.net

    OrgAbuseHandle: VAC5-ARIN
    OrgAbuseName: Verio Abuse Contact
    OrgAbusePhone: +1-800-551-1630
    OrgAbuseEmail: abuse@verio.net

    OrgNOCHandle: VSC-ARIN
    OrgNOCName: Verio Support Contact
    OrgNOCPhone: +1-800-551-1630
    OrgNOCEmail: support@verio.net

    OrgTechHandle: VIA4-ORG-ARIN
    OrgTechName: Verio, Inc.
    OrgTechPhone: +1-303-645-1900
    OrgTechEmail: vipar@verio.net 

    -- 
+----------------------------------------------------------------------------+
+ Bruce S. Marshall  bmarsh@bmarsh.com  Bellaire, MI         07/31/03 
22:20  +
+----------------------------------------------------------------------------+
"Why do we drive on Parkways, and park on Driveways?"
-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com
  • Next message: Donn aka n5xwb Washburn: "[SLE] ? Grub"

    Relevant Pages

    • Re: Cure for Diabetes - Read On!
      ... NameServer: NS1.VERIO.NET ... TechName: Verio, Inc. ... OrgNOCHandle: VSC-ARIN ... OrgTechName: Verio, Inc. ...
      (sci.med)
    • Re: scam?/spam misusing Boy Scouts name
      ... However network ISP abuse box readers rarely contact ... > NameServer: NS0.VERIO.NET ... > TechName: Verio, Inc. ... >> this to the BSA. ...
      (rec.scouting.usa)
    • Re: possible hacker
      ... > german site. ... cdm.microsoft.com appears to be a valid microsoft site. ... Verio ... NameServer: DNS2.CP.MSFT.NET ...
      (microsoft.public.security)