[lug] RFI packet log deny message

John Hernandez John.Hernandez at noaa.gov
Wed Oct 24 11:23:45 MDT 2001 

My guess is that you initiated an ftp session (which subsequently hung) 
to ftp3.sourceforge.net AKA latinhouse.metalab.unc.edu.  The reason I 
speculate is this looks like a return ftp-data connection request.  NAT 
devices can save state for ftp sessions and forward the return 
connection to the internal client for a short window.

To fix the problem of the hung session, you can do one of many things:

1) Use a passive mode client (may not work with some servers)
2) Relax your firewall to allow for incoming connections to port 20
3) Try the ftp-data patch at 
http://www.suse.de/~mha/README.patch.ftp-data-2 (for 2.2.x kernels) or 
use the newer netfilter/iptables solution (2.4.x)

-John

B O'Fallon wrote:

> Hello,
> 
> I was looking at my root mail tonight and noticed the following:
> 
>      Oct 23 21:56:11 mudhen kernel: Packet log: input DENY eth0
>      PROTO=6
>      152.2.210.121:20 10.0.0.3:32897 L=60 S=0x00 I=21355 F=0x4000
>      T=51 SYN
>      (#59)
> 
>      Oct 23 21:56:20 mudhen kernel: Packet log: input DENY eth0
>      PROTO=6
>      152.2.210.121:20 10.0.0.3:32897 L=60 S=0x00 I=41627 F=0x4000
>      T=51 SYN
>      (#59)
> 
>      Oct 23 21:56:32 mudhen kernel: Packet log: input DENY eth0
>      PROTO=6
>      152.2.210.121:20 10.0.0.3:32897 L=60 S=0x00 I=3142 F=0x4000
>      T=51 SYN
>      (#59)
> 
> nslookup revealed that 152.2.210.121 is latinhouse.metalab.unc.edu. I
> wasn't doing anything with them that I know of.
> 
> 10.0.0.3 is address assigned to my ethernet card by the NAT feature of
> my Cisco 675.
> 
> Could someone explain what this is? Is someone at unc probing the ftp
> port of the ipaddress for my cisco and it is getting passed through to
> the firewall I am running on 10.0.0.3?
> 
> Thanx.
> 
> BOF
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 


-- 

   - John Hernandez - Network Engineer - 303-497-6392 -
  |  National Oceanic and Atmospheric Administration   |
  |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
   ----------------------------------------------------

More information about the LUG mailing list