From: Tom E. <te...@sh...> - 2005-12-10 01:28:57
|
On Friday 09 December 2005 17:06, su...@gm... wrote: > I noticed there are some strange log in one of my home pc (400sc) running > debian sid/shorewall. Somehow this packet passed my home server (dell) > running debian sarge and reached the 400sc. I don't understand how could = it > penetrate the shorewall in the the server as I didn't set up any port > forwarding at all. I hope someone here can give my some insights on what > this means and how could I prevent it from happenging again. > > Here is my home network setup: > dsl---eth0---dell/debian sarge/shorewall > > eth1(192.168.0.1) > > | wired connection > > dlink wireless router > > | wired connection > > eth0(192.168.0.40) > > 400sc/debian sid/shorewall > > And here is the strange message from 400sc log: > Dec 5 20:42:25 400sc kernel: Shorewall:eth0_mac:REJECT:IN=3Deth0 OUT=3D > MAC=3Dmac of 192.168.0.40/eth0:mac of 192.168.0.1/eth1:08:00 > SRC=3D202.108.45.50 DST=3D192.168.0.40 LEN=3D52 TOS=3D0x00 PREC=3D0x00 TT= L=3D46 > ID=3D45333 DF PROTO=3DTCP SPT=3D80 DPT=3D35863 WINDOW=3D58 RES=3D0x00 ACK= URGP=3D0 > Given that this packet is being rejected because of MAC filtration, looks t= o=20 me like a maclist configuration error. Note that it is a simple response=20 packet from a remote web server somewhere on the net. Also given that the packet is going through maclist filtration, it is in th= e=20 NEW state even though it is not a SYN packet. So for some reason, Shorewall= =20 doesn't know about this connection -- possibly because of packet loss durin= g=20 session termination or because your firewall was rebooted within the last=20 several days. =2DTom =2D-=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |