[lug] RFI packet log deny message

D. Stimits stimits at idcomm.com
Tue Oct 23 23:17:41 MDT 2001 

B O'Fallon wrote:
> 
> Hello,
> 
> I was looking at my root mail tonight and noticed the following:
> 
>      Oct 23 21:56:11 mudhen kernel: Packet log: input DENY eth0
>      PROTO=6
>      152.2.210.121:20 10.0.0.3:32897 L=60 S=0x00 I=21355 F=0x4000
>      T=51 SYN
>      (#59)
> 
>      Oct 23 21:56:20 mudhen kernel: Packet log: input DENY eth0
>      PROTO=6
>      152.2.210.121:20 10.0.0.3:32897 L=60 S=0x00 I=41627 F=0x4000
>      T=51 SYN
>      (#59)
> 
>      Oct 23 21:56:32 mudhen kernel: Packet log: input DENY eth0
>      PROTO=6
>      152.2.210.121:20 10.0.0.3:32897 L=60 S=0x00 I=3142 F=0x4000
>      T=51 SYN
>      (#59)
> 
> nslookup revealed that 152.2.210.121 is latinhouse.metalab.unc.edu. I
> wasn't doing anything with them that I know of.
> 
> 10.0.0.3 is address assigned to my ethernet card by the NAT feature of
> my Cisco 675.
> 
> Could someone explain what this is? Is someone at unc probing the ftp
> port of the ipaddress for my cisco and it is getting passed through to
> the firewall I am running on 10.0.0.3?

Proto 6 means TCP, so spoofing is less likely (rather unlikely in any
case but DoS where TCP).

They originated their request from port 20, it was not the destination.
They got to your mudhen machine. Is mudhen 10.0.0.3? Or is 10.0.0.3
something mudhen forwards to? If 10.0.0.3 *IS* mudhen, then they got to
this internal IP via your NAT. If mudhen merely forwards to 10.0.0.3,
then they stopped at mudhen.

I don't know what your NAT rules are. Are particular ports dedicated to
forwarding to 10.0.0.3? If not, then it likely means a process located
at 10.0.0.3 sent a request to 152.2.210.121, and just happened to reply
to that port 32897. Not sure, maybe someone knows if 32897 is a known
trojan port? In any case, unless NAT has preassigned port schemes, then
10.0.0.3 had to originate a request in order for the NAT to know which
machine it goes to. The input chain killed the request.

D. Stimits, stimits at idcomm.com

> 
> Thanx.
> 
> BOF
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list