Re: [m0n0wall] Have I been owned? (caught outgoing src port 22)

From:	"Jeffrey Goldberg" <jeffrey at goldmark dot org>
To:	"mika" <mikata at gmail dot com>, "Chet Harvey" <chet at pittech dot com>
Cc:	"Monowall Mailing List" <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Have I been owned? (caught outgoing src port 22)
Date:	Fri, 28 Jan 2005 13:12:15 -0800

On Fri, 28 Jan 2005 20:16:46 +0100, "mika" <mikata at gmail dot com> said:
> > Definately looks like someone is using port 22 to leave that box and go to bluemidnight.
> 
> Does it? The Question is, why is this traffic logged? Normally this
> traffic is not blocked, because of the standard rules LAN->WAN allow!

I don't use the standard rules.  I block (and log) LAN->WAN except for a
few designated destinated ports (80, 443 etc).

> As i can see from here, this is a connection from machine .2.7 to the
> inet IP, that is sending some packets twice probably because of
> missing bandwidth. If it takes too long to get a ACK answer
> transmitted from the inet IP, your PC sends out the request another
> time. But m0n0wall sees the ID of the packet and drops it because it
> has seen it before and is no new packet of the connection.

I'll keep that idea in mind.  Though, at the moment, it doesn't look
likely.

> The other question is why are you connecting to bluemidnight.com?

That is precisely what I would like to know.

 
> Maybe it is a packet with fake IPs?

Life is never simple.

-j
-- 
 Jeffrey Goldberg           http://www.goldmark.org