From: Eric Lease Morgan <emorgan@nd...> - 2008-11-25 02:30:59
How do I configure my host to go about denying IPSec connections?
First of all, if this is not the proper list to ask my question, then
just tell me and I'll go away. I promise.
I have a computer on a 100 Mbit/s network running Fedora 7. The
majority of time my network's throughput runs about 1 Mbit/s, but
after using a network monitoring program (ntop) I noticed that my
throughput regularly increased to about 3 Mbit/s. Using a packet
capturing program (WireShark) I noticed that a particular host
connected to my computer and transferred MB's of data to a second
computer. I think the connections used by these outside hosts are
IPSec (ESP) connections. What is even weirder is that a second
monitoring program (munin) does not register these connections unless
ntop is running. BTW, when these connections are monitored by munin I
see that my apci interrupts increase. Ironically, I have few TCP ports
open (22, 80, 443, 3306, 9999) and 0 UDP ports open. I have tried
adding some rules to my iptables (-A RH-Firewall-1-INPUT -p 50 -j
REJECT and -A RH-Firewall-1-INPUT -p 51 -j REJECT) configuration to
deny these particular hosts to no avail.
How do I get rid of these unwanted (IPSec) connections? What have I
done wrong or inadvertently turned on? This is both frustrating and
Eric Lease Morgan
On Nov 25, 2008, at 3:57 PM, Stephen Clark wrote:
>> How do I configure my host to go about denying IPSec connections?
> Ntop by default will put your interfaces in promiscuous mode which
> letsyour nic card see all traffic - even traffic not destined to
> you. It is my suspicion that you are just seeing traffic that is
> flowing by on the net but is not really affecting your system.
Thank you! After turning promiscuous mode off on ntop I don't see the
connections in Wireshark. When I turn promiscuous mode on in WireShark
and/or ntop, then I see the weird connections. This whole process was
very educational. Again, thank you.
Eric Lease Morgan