[ previous ] [ next ] [ threads ]
 
 From:  mika <mikata at gmail dot com>
 To:  Chet Harvey <chet at pittech dot com>
 Cc:  Jeffrey Goldberg <jeffrey at goldmark dot org>, Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Have I been owned? (caught outgoing src port 22)
 Date:  Fri, 28 Jan 2005 20:16:46 +0100
> Definately looks like someone is using port 22 to leave that box and go to bluemidnight.

Does it? The Question is, why is this traffic logged? Normally this
traffic is not blocked, because of the standard rules LAN->WAN allow!
As i can see from here, this is a connection from machine .2.7 to the
inet IP, that is sending some packets twice probably because of
missing bandwidth. If it takes too long to get a ACK answer
transmitted from the inet IP, your PC sends out the request another
time. But m0n0wall sees the ID of the packet and drops it because it
has seen it before and is no new packet of the connection.

The other question is why are you connecting to bluemidnight.com?
Since the source port 22 is used for SSH on that unix system it has to
be a connection emitted by bluemidnight.com. But if you do not have
any portforwarding or advanced NAT or something like that, it is just
not possible to have such a connection.

Maybe it is a packet with fake IPs?