Date: Sat, 11 Mar 2000 04:46:58 +0100 From: Harold Gutch <logix@foobar.franken.de> To: Andy Farkas <andyf@speednet.com.au>, freebsd-security@FreeBSD.ORG Subject: Re: security check output Message-ID: <20000311044658.A10149@foobar.franken.de> In-Reply-To: <Pine.BSF.4.10.10003111406230.53856-100000@backup.af.speednet.com.au>; from Andy Farkas on Sat, Mar 11, 2000 at 02:18:13PM %2B1100 References: <200003101459.BAA03095@zippyii.af.speednet.com.au> <Pine.BSF.4.10.10003111406230.53856-100000@backup.af.speednet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 11, 2000 at 02:18:13PM +1100, Andy Farkas wrote:
>
> This may belong on -questions...
>
> How is it possible that I get connection attempts from outside my private
> subnet? My main concern is how the heck do these packets get routed to my
> workstation? I'm sure there are routers in between that drop RFC1918
> addresses..
>
> > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80
> > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80
[...]
As you didn't say which version of FreeBSD you were using, I just
grepped through a 2.2.8 sourcetree and guessed from the source
that incoming SYN|ACK - packets were logged by log_in_vain.
I might be wrong, but my guess is that you're seeing answers to
outgoing HTTP-packets for which the local socket already timed
out and therefore is closed already. These packets had the SYN
(and the ACK-) flag set and therefore were logged by FreeBSD,
although they basically were real replies from some outside
machine.
Your NAT-ting box overwrote the destination-address of these
packets to match the internal address (172.22.2.9), therefore
you're seeing packets to these addresses to closed sockets (hence
the log-entries).
bye,
Harold
--
Someone should do a study to find out how many human life spans have
been lost waiting for NT to reboot.
Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000311044658.A10149>