From owner-freebsd-questions  Wed Feb 13  5: 8:17 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5])
	by hub.freebsd.org (Postfix) with ESMTP id B215F37B405
	for <freebsd-questions@freebsd.org>; Wed, 13 Feb 2002 05:08:13 -0800 (PST)
Received: from hades.hell.gr (patr530-a236.otenet.gr [212.205.215.236])
	by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g1DD81O3013256;
	Wed, 13 Feb 2002 15:08:02 +0200 (EET)
Received: (from charon@localhost)
	by hades.hell.gr (8.11.6/8.11.6) id g1DD80E22449;
	Wed, 13 Feb 2002 15:08:00 +0200 (EET)
	(envelope-from keramida@freebsd.org)
Date: Wed, 13 Feb 2002 15:08:00 +0200
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Jim Conner <jconner@enterit.com>
Cc: James Green <james@stealthnet.co.uk>,
	freebsd-questions@freebsd.org
Subject: Re: Am I being hacked?! Strange connection attempts
Message-ID: <20020213130759.GD22168@hades.hell.gr>
References: <20020212170133.3bf6d5c9.johann@broadpark.no> <5.1.0.14.0.20020213011306.0340ce68@mail.enterit.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.1.0.14.0.20020213011306.0340ce68@mail.enterit.com>
User-Agent: Mutt/1.3.25i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On 2002-02-13 01:22, Jim Conner wrote:
> 
> Ok.  Yup, James, you are right.  10.* is a private IP address 
> block.  Therefore, the fact that there is a connect attempt on port 1433 
> from a real IP address to an internal address could be hoakie if...*if* 
> J.S. is NOT forwarding the ports or has this machine in his DMZ or 
> something.  If he has it blocked, however (or not in the DMZ) then this, to 
> me, looks like someone is port-scanning and they are taking advantage of 
> J.S.'s stateless firewall.  They are probably using a a syn+ack scan or 
> something.  This kind of scan, IIRC, is capable of fooling the firewall 
> into thinking that the inside host made a request to the outside world and 
> therefore the fw happily passes the packets along.

Which should not be allowed, since packets coming from an IP address that
does not match one of the addresses of an interface should be dropped dead
on the floor :)

Giorgos Keramidas                           FreeBSD Documentation Project
keramida@{freebsd.org,ceid.upatras.gr}      http://www.FreeBSD.org/docproj/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message