At 09:42 18-2-00 -0500, you wrote:
>> Hello,
>>
>> I have a router/firewall with ipchains which protects the internal novell
>> 3.12 network. This works perfectly. However, I do find a lot of denies in
>> the logs which I cannot explain. These are the following log entries:
>>
>> output DENY ippp0 proto=6 195.86.4.71:61041 194.151.216.202:80 L=569 S=0x10
>> I=64784 F=0x4000 T=31
>
>This is part of an ongoing http connection, probably from a box using IP
>masquerading. Maybe from the firewall/masquerading box.
>
>>
>> and
>>
>> output DENY ippp0 proto=17 195.86.48.17:1024 192.112.36.4:53 L=61 S=0x00
>> I=354 F=0x000 T=64
>
>This is a DNS (reply I think). Is 195.86.48.17 one of your DNS servers?
Sorry I should have been more specific. The router/fw uses maquerading
indeed. The router/fw dials into the ISP's server, which dynamically
assigns an IP address. The DNS IP's are 194.165.94.1 and 194.165.94.5. My
guess is that the source numbers in the log entries are the dynamically
assigned IP addresses. I am also running a caching only nameserver. Could
this log entry be the caching only nameserver trying to resolve an address?
>
>>
>> These denies are generated by a 'cath all rule' at the end of the output
>> chain. My questions about these denies are
>>
>> 1. What is service 61041?
>
>In the context above (proto=6), port 61041 is not a service, but the source
>(from) port chosen by the application that opened the connection. The
>source port is generally chosen in a somewhat arbitrary fashion from a
>designated range of ports. If I had to guess, I'd say that IP masquerading
>was involved because of the high source port number.
I thought IP masquerading only changes the IP address of the data packets.
So what does it need the high port numbers for? If it would change the
portnumber of every data packet, I would not be able to make an internet
connection at all.
Thanks,
Robert-Jan
>
>> 2. Why is the service from the source IP different from the service from
>> the destination IP?
>
>They just are. The destination port determines what service is being
>"requested". In the case of the first entry above, it looks like part of an
>http connection (port 80) was blocked.
>
>>
>> The firewall works very well, so obviously these denied data packages are
>> not very important for internet and e-mail.
>>
>> TIA,
>>
>> Robert-Jan Kuijvenhoven
>
>
>--
>To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
>as the Subject.
>
>
>
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
