RE: [SLE] Firewall interpretation request
From: Knut Erik Hauslo (KNUTH_at_voelcker.com)
Date: 08/01/03
- Previous message: Ben Rosenberg: "Re: [SLE] (REOPENED) Gnome Questoin"
- Maybe in reply to: John: "[SLE] Firewall interpretation request"
- Next in thread: jalal: "Re: [SLE] Firewall interpretation request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 1 Aug 2003 08:33:17 +0200 To: <bmarsh@bmarsh.com>, "SLE" <suse-linux-e@suse.com>
High Ports >=1024 <=65535 are used for FTP Transfer, and only opend if
realted to a previous session. For example, if you initiate a ftp
session to some FTP Server out there, you would talk to destination Port
21. Any Paket from the FTP Server are - until data transfer - from Port
21 with destination port >=1024. Passive FTP Client then requests IP
Address and Port to be used for data transfer which is in the High Ports
area. The Client then starts the transfer with source port >= 1024 and
destination port >= 1024. That would be normal use. If you define poor
firewall rules, an attacker might be able to use these ports even if no
related communication has taken place before.
-Knut Erik
-----Original Message-----
From: Bruce Marshall [mailto:bmarsh@bmarsh.com]
Sent: Friday, August 01, 2003 4:21 AM
To: SLE
Subject: Re: [SLE] Firewall interpretation request
On Thursday 31 July 2003 22:08 pm, John wrote:
> Hiya gang,
>
> I happened to notice last night that my RD light on my modem was
> goin' ape-crazy, and my TD was only once in a while (maybe every 3 or
> 4 seconds) blinking, so I knew not much was going 'out'. I couldn't
> for the life of me remember where to look at logs for the firewall,
> until just now. This is a sample of what I found:
>
> Jul 29 19:44:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC=
> SRC=204.1.226.229 DST=(correct local address) LEN=40 TOS=0x00
> PREC=0x00 TTL=112 ID=32768 PROTO=TCP SPT=65143 DPT=1054 WINDOW=8192
> RES=0x00 SYN URGP=0
>
> Okay, I checked and the SRC was *not* my ISP's remote address, the
> DST was correct though as *my* assigned address at the time (dial-up
> modem). I counted 'one second' of these, and had 65 instances within
> one second. The *only* thing changing at each instance during the one
> second, was the DPT , which seemed to start at 1024 and go up to 1054,
> then start at 1024 all over again.
> So, what I'd like to ask of anyone who knows is...
> Starting with 'LEN' and going to 'URGP', what do each of those
> things mean (I think I understand the 'PROTO', heh)?
> I tried looking some of them up, but wasn't getting anything clear
> enough for an 'idiot' to understand.
> Why would only the 'DPT' change, and why only that range?
> Is/was this a DDoS? It sure didn't bother me any, since I could
> start a download or surf the web without any noticeable slowdown. Does
> this mean that SuSEFirewall2 was doing its job well? (I'm leaning
> strongly toward 'it did a fantastic job')
>
> Thanks if anyone finds these questions worth any answers. The
> curiosity is killin' me. lol
>
> John
> --
linux1:/var/log # whois 204.1.226.229
OrgName: Verio, Inc.
OrgID: VRIO
Address: 8005 South Chester Street
Address: Suite 200
City: Englewood
StateProv: CO
PostalCode: 80112
Country: US
ReferralServer: rwhois://rwhois.verio.net:4321/
NetRange: 204.0.0.0 - 204.3.255.255
CIDR: 204.0.0.0/14
NetName: VRIO-204-000
NetHandle: NET-204-0-0-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
NameServer: NS0.VERIO.NET
NameServer: NS1.VERIO.NET
NameServer: NS2.VERIO.NET
NameServer: NS3.VERIO.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at rwhois.verio.net port 4321
Comment: ********************************************
RegDate: 2000-07-26
Updated: 2003-07-10
TechHandle: VIA4-ORG-ARIN
TechName: Verio, Inc.
TechPhone: +1-303-645-1900
TechEmail: vipar@verio.net
OrgAbuseHandle: VAC5-ARIN
OrgAbuseName: Verio Abuse Contact
OrgAbusePhone: +1-800-551-1630
OrgAbuseEmail: abuse@verio.net
OrgNOCHandle: VSC-ARIN
OrgNOCName: Verio Support Contact
OrgNOCPhone: +1-800-551-1630
OrgNOCEmail: support@verio.net
OrgTechHandle: VIA4-ORG-ARIN
OrgTechName: Verio, Inc.
OrgTechPhone: +1-303-645-1900
OrgTechEmail: vipar@verio.net
-- +----------------------------------------------------------------------- -----+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 07/31/03 22:20 + +----------------------------------------------------------------------- -----+ "Why do we drive on Parkways, and park on Driveways?" -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
- Previous message: Ben Rosenberg: "Re: [SLE] (REOPENED) Gnome Questoin"
- Maybe in reply to: John: "[SLE] Firewall interpretation request"
- Next in thread: jalal: "Re: [SLE] Firewall interpretation request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
