diff options
Diffstat (limited to 'zarb-ml/mageia-discuss/20120507/007235.html')
| -rw-r--r-- | zarb-ml/mageia-discuss/20120507/007235.html | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/zarb-ml/mageia-discuss/20120507/007235.html b/zarb-ml/mageia-discuss/20120507/007235.html new file mode 100644 index 000000000..1b4936e24 --- /dev/null +++ b/zarb-ml/mageia-discuss/20120507/007235.html @@ -0,0 +1,165 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-discuss] Odd entry in log file + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20Odd%20entry%20in%20log%20file&In-Reply-To=%3C4FA7BB93.7080900%40Rock3d.net%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="007234.html"> + <LINK REL="Next" HREF="007236.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-discuss] Odd entry in log file</H1> + <B>imnotpc</B> + <A HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20Odd%20entry%20in%20log%20file&In-Reply-To=%3C4FA7BB93.7080900%40Rock3d.net%3E" + TITLE="[Mageia-discuss] Odd entry in log file">imnotpc at Rock3d.net + </A><BR> + <I>Mon May 7 14:09:55 CEST 2012</I> + <P><UL> + <LI>Previous message: <A HREF="007234.html">[Mageia-discuss] Odd entry in log file +</A></li> + <LI>Next message: <A HREF="007236.html">[Mageia-discuss] Odd entry in log file +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7235">[ date ]</a> + <a href="thread.html#7235">[ thread ]</a> + <a href="subject.html#7235">[ subject ]</a> + <a href="author.html#7235">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On 05/07/2012 06:45 AM, Frank Griffin wrote: +><i> On 05/06/2012 09:15 PM, imnotpc wrote: +</I>>><i> +</I>>><i> I apologize that I didn't give more detail when I started this +</I>>><i> thread, but this has become more involved/detailed discussion than I +</I>>><i> envisioned. Let me give you the topography of my network as best as I +</I>>><i> can describe: +</I>>><i> +</I>>><i> Firewall/Gateway: Mga2 box with 3 NICs which forwards traffic from +</I>>><i> the DMZ and the LAN to the Internet and back. The Internet facing NIC +</I>>><i> has a public IP. The DMZ is a private subnet with all fixed IPs. The +</I>>><i> LAN subnet also has all fixed IPs in the 192.168.0.0/24 range. +</I>>><i> Iptables firewall logs and drops all traffic that doesn't originate +</I>>><i> from these subnets. +</I>>><i> +</I>>><i> LAN: All the LAN hosts have fixed IPs IN the 192.168.0.0/24 range. +</I>>><i> Linux host firewalls block all outgoing traffic that doesn't +</I>>><i> originate from the assigned IP address. Windows/other hosts do +</I>>><i> whatever they do. +</I>>><i> +</I>>><i> Wireless Router Attached to the LAN: The LAN facing NIC on the +</I>>><i> wireless router has a fixed IP of 192.168.0.100. The wireless +</I>>><i> interface is configured to assign IPs in the 192.168.2.0/24 range to +</I>>><i> the wireless hosts using DHCP. +</I>>><i> +</I>>><i> Wireless Hosts: Connect to wireless router via DHCP. I believe these +</I>>><i> hosts are generating the martian packets. +</I>>><i> +</I>>><i> I understand the the wireless host may identify themselves using +</I>>><i> other IPs due to other connection/configuration issues, but I can't +</I>>><i> understand how the kernel on the Mga2 gateway is ever able to see +</I>>><i> packets originating from 192.168.3.2 or any other unauthorized +</I>>><i> subnet. This is my major concern since it may indicate an error in my +</I>>><i> LAN configuration. +</I>><i> +</I>><i> 1) Is eth0 the interface facing the internet ? +</I> +No, this interface faces the LAN which has a 192.168.0.0/24 subnet. + +><i> +</I>><i> 2) Is 173.194.74.154 the IP address assigned (currently) to you by +</I>><i> your ISP ? +</I> +No, that IP returns to qe-in-f154.1e100.net which appears to be a server +owned by Google. + +><i> +</I>><i> 3) If you ping 192.168.3.2 when you're getting the martians, do you +</I>><i> get any response ? +</I> +[<A HREF="https://www.mageia.org/mailman/listinfo/mageia-discuss">root at Cedar1</A> /]# ping -c 5 192.168.3.2 +PING 192.168.3.2 (192.168.3.2) 56(84) bytes of data. + +--- 192.168.3.2 ping statistics --- +5 packets transmitted, 0 received, 100% packet loss, time 3999ms + +><i> +</I>><i> 4) What does "traceroute 192.168.3.2" from the gateway give ? +</I> +[<A HREF="https://www.mageia.org/mailman/listinfo/mageia-discuss">root at Cedar1</A> /]# traceroute 192.168.3.2 +traceroute to 192.168.3.2 (192.168.3.2), 30 hops max, 60 byte packets + 1 74-94-209-242-BusName-VA.hfc.comcastbusiness.net (74.94.209.242) +0.670 ms 1.372 ms 1.686 ms + 2 * * * + 3 * * * + 4 * * * + 5 * * * + 6 * * * + 7 * * * + 8 * * * + 9 * * * +10 * * * +11 * * * +12 * * * +13 * * * +14 * * * +15 * * * +16 * * * +17 * * * +18 * * * +19 * * * +20 * * * +21 * * * +22 * * * +23 * * * +24 * * * +25 * * * +26 * * * +27 * * * +28 * * * +29 * * * +30 * * * + +Well isn't that interesting. That Comcast IP is the address of the ISP +gateway I use. Both of my firewall/gateway boxes that are logging +martian packets are connected to similar Comcast routers. The routers +are configured in bridge mode so the router DHCP service has no effect +on my connection, but it might still be active on the router. Also each +ISP router also has a wireless interface and that could still be active. +My firewall doesn't block any private IPs coming from the Internet +interface since the ISP routers would never forward them, so that +explains how they get past the firewall. + +I can reconfigure the firewall to block these, but now I'm wondering if +this is a security issue and if I should try to change the ISP router +settings. I really hate messing with router settings I haven't used +before but I hate unauthorized access even more. Thoughts? + +Jeff +</PRE> + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="007234.html">[Mageia-discuss] Odd entry in log file +</A></li> + <LI>Next message: <A HREF="007236.html">[Mageia-discuss] Odd entry in log file +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7235">[ date ]</a> + <a href="thread.html#7235">[ thread ]</a> + <a href="subject.html#7235">[ subject ]</a> + <a href="author.html#7235">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-discuss">More information about the Mageia-discuss +mailing list</a><br> +</body></html> |