From owner-freebsd-security Fri Mar 10 19:47: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id AC33D37B969 for ; Fri, 10 Mar 2000 19:46:53 -0800 (PST) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id EAA10217; Sat, 11 Mar 2000 04:46:58 +0100 (CET) Message-ID: <20000311044658.A10149@foobar.franken.de> Date: Sat, 11 Mar 2000 04:46:58 +0100 From: Harold Gutch To: Andy Farkas , freebsd-security@FreeBSD.ORG Subject: Re: security check output References: <200003101459.BAA03095@zippyii.af.speednet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Andy Farkas on Sat, Mar 11, 2000 at 02:18:13PM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 11, 2000 at 02:18:13PM +1100, Andy Farkas wrote: > > This may belong on -questions... > > How is it possible that I get connection attempts from outside my private > subnet? My main concern is how the heck do these packets get routed to my > workstation? I'm sure there are routers in between that drop RFC1918 > addresses.. > > > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 > > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 [...] As you didn't say which version of FreeBSD you were using, I just grepped through a 2.2.8 sourcetree and guessed from the source that incoming SYN|ACK - packets were logged by log_in_vain. I might be wrong, but my guess is that you're seeing answers to outgoing HTTP-packets for which the local socket already timed out and therefore is closed already. These packets had the SYN (and the ACK-) flag set and therefore were logged by FreeBSD, although they basically were real replies from some outside machine. Your NAT-ting box overwrote the destination-address of these packets to match the internal address (172.22.2.9), therefore you're seeing packets to these addresses to closed sockets (hence the log-entries). bye, Harold -- Someone should do a study to find out how many human life spans have been lost waiting for NT to reboot. Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message