Re: strange Shorewall entry

Chris Howie Fri, 04 Jan 2008 07:30:08 -0800

On Jan 4, 2008 10:16 AM, Douglas A. Tutty <[EMAIL PROTECTED]> wrote:

> I found this in my log today:
>
> Jan  3 21:58:05 titan kernel: Shorewall:fw2net:REJECT:
>        IN= OUT=ppp0 SRC=209.29.44.23 DST=16.100.185.144
>        LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27582 DF
>        PROTO=TCP SPT=38111 DPT=8030 WINDOW=5840 RES=0x00 SYN URGP=0
> Jan  3 21:58:05 titan kernel: Shorewall:fw2net:REJECT:
>        IN= OUT=ppp0 SRC=209.29.44.23 DST=16.100.184.142
>        LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27569 DF
>        PROTO=TCP SPT=47263 DPT=8030 WINDOW=5840 RES=0x00 SYN URGP=0
>
> I have shorewall reject anything going out via a port I haven't opened.
> Neither source nor destination ports are in /etc/services and I haven't
> seen these before.
>
> My concern is that they come from my box (fw) and attempt to go out to
> the net.  This implies that something on my box is corrupted.  Any
> ideas?  At the time of this entry, my box was running Konqueror (via ssh
> from the other box) and was downloading information on HP DDS tapes from
> the HP website.  It also had open tabs to wikipedia and perhaps a google
> search results page.
>


-----8<-----
[EMAIL PROTECTED]:~$ dig -x 16.100.185.144

; <<>> DiG 9.3.4 <<>> -x 16.100.185.144
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22933
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 3

;; QUESTION SECTION:
;144.185.100.16.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
144.185.100.16.in-addr.arpa. 14400 IN   PTR
internal-host.americas.hpqcorp.net.

;; AUTHORITY SECTION:
185.100.16.in-addr.arpa. 14400  IN      NS      ns4.hp.com.
185.100.16.in-addr.arpa. 14400  IN      NS      ns3.hp.com.
185.100.16.in-addr.arpa. 14400  IN      NS      ns1.hp.com.
185.100.16.in-addr.arpa. 14400  IN      NS      ns2.hp.com.
185.100.16.in-addr.arpa. 14400  IN      NS      ns6.hp.com.
185.100.16.in-addr.arpa. 14400  IN      NS      ns5.hp.com.

;; ADDITIONAL SECTION:
ns4.hp.com.             4974    IN      A       15.203.224.14
ns2.hp.com.             4973    IN      A       15.219.160.12
ns6.hp.com.             4973    IN      A       15.195.208.12

;; Query time: 154 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Fri Jan  4 10:27:08 2008
;; MSG SIZE  rcvd: 255
-----8<-----

Maybe their download server runs on an alternate port?  (Though I cannot
seem to telnet to this server on 8030 or 80.)

-- 
Chris Howie
http://www.chrishowie.com
http://en.wikipedia.org/wiki/User:Crazycomputers

Re: strange Shorewall entry

Reply via email to