[lug] Strange port scan

[Warren Sanders]

I had a strange report of a port scan from a well known IP last night.  
I did a presentation at my local LUG on SmoothWall.  Part of the demo I 
was going to show the VPN features.  So I needed to shell into my box at 
work to get some addys.  Unfortunately it wasn't answering.  Later while 
showing the log screens of the SW web interface, I noticed the intrusion 
detection log had three detected scans from my work IP which I was 
trying to shell into earlier!  Stumped.  Chatting this morning between 
some who were there last night about this has gotten nowhere.  Maybe 
someone here could offer some reasoning?

This is the network topology at my work:
The router has a public IP running NAT --> port forwarding to my 
workstation box for ssh . 
I received a /30 to test my SmoothWall with and they added .28 to the 
router for this test.
The SW is sitting on a 10 base hub using a .30  (SW's Red) and it's 
gateway is .29.  The hub branches off an unmanaged switch.  The 5 port 
switch sits off the router (so there was no more room at the Inn okay).  
SW's Green is also on the same 10 base hub.
My ssh box, sitting on the LAN, was set to use the SW as it's default 
route.  It ping tested okay for VPN to other SW boxes I had set up 
remotely.  So I couldn't ssh in most likely because my box's route was 
set to the wrong route I presume.  So the traffic was trying to come 
back out the SW causing the port scan?
Another tidbit; I am unable to ssh to the SW of a remote SW with an 
active VPN connection.  Is that because it sees some sort of spoofing 
going on and no private IP can connect to the Red anyway?  Since setting 
my default route back to point at the router I have no problems shelling 
out and back in again.

Your insight is appreciated, thanks and yes I am posting this on the SW 
forum as well.

-- 
Warren Sanders
Family Photo Galleries
http://SandersOnline.org