[ previous ] [ next ] [ threads ]
 
 From:  taharka <res00vl8 at alltel dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Need some help understanding why certain traffic is being blocked.
 Date:  Mon, 04 Apr 2005 16:18:59 -0400 
Don Munyak wrote:

>I have noticed the following rule in ipfstat -nio
>
>@17 block in log quick proto tcp from any to any
>
>We are getting the following block traffic log:
>
>Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:03.793845 rl1 @0:17 b
>192.168.222.187,1677 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.135305 rl1 @0:17 b
>192.168.222.187,1675 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.223278 rl1 @0:17 b
>192.168.222.187,1678 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.326783 rl1 @0:17 b
>192.168.222.187,1679 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.569712 rl1 @0:17 b
>192.168.222.187,1680 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.749627 rl1 @0:17 b
>192.168.222.187,1683 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.971438 rl1 @0:17 b
>192.168.222.187,1685 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:05.060978 rl1 @0:17 b
>192.168.222.187,1684 -> 129.42.40.230,80 PR tcp len 20 40 -AF IN
>Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:05.151938 rl1 @0:17 b
>192.168.222.187,1686 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>Apr  4 23:13:21 m0n0wall ipmon[78]: 23:13:20.748817 rl1 @0:17 b
>192.168.222.187,1692 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>Apr  4 23:13:21 m0n0wall ipmon[78]: 23:13:21.339997 rl1 @0:17 b
>192.168.222.187,1696 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>
>rl1 is the LAN gateway interface
>xl1 is the WAN interface
>r10 is DMZ interface (not being used)
>
>I am unable to determine who 216.200.68.4 is.
>192.168.222.187 is one of our LAN client PC's.
>
>The only traffic I am blocking at the LAN interface is telnet and 445.
>Why then are these packets being blocked.
>Is there a simple expalnation or do I need to provide more information ?
>
>I am also seeing the same kind of blocks for another "server" which we
>are using for a ASP web application.
>
>TIA,
>
>- Don
>
>  
>
Here's what whois has to say regarding 216.200.68.4 & above.net.

[Querying whois.arin.net]
[whois.arin.net]
Abovenet Communications, Inc ABOVENET-5 (NET-216-200-0-0-1)
                                  216.200.0.0 - 216.200.255.255
SPEEDERA NETWORKS, ABOV-D277-216-200-68-0-24 (NET-216-200-68-0-1)
                                  216.200.68.0 - 216.200.68.255

# ARIN WHOIS database, last updated 2005-04-03 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Registrant:
AboveNet Communications, Inc.
   50 West San Fernando St., Suite 1010
   San Jose, CA 95113
   US

   Domain Name: ABOVE.NET

   Administrative Contact:
      AboveNet Communications, Inc.        dns at ABOVE dot NET
      50 W SAN FERNANDO ST STE 1010
      SAN JOSE, CA 95113-2414
      US
      408-367-6666 fax: 408-367-6688

   Technical Contact:
      AboveNet Communications, Inc.        dns at ABOVE dot NET
      AboveNet Communications, Inc.
      50 W SAN FERNANDO ST STE 1010
      SAN JOSE, CA 95113-2414
      US
      408-367-6673 fax: 408-367-6688

   Record expires on 10-Jun-2014.
   Record created on 09-Jun-1996.
   Database last updated on 4-Apr-2005 16:03:31 EDT.

   Domain servers in listed order:

   NS.ABOVE.NET                 207.126.96.162
   NS3.ABOVE.NET                207.126.105.146

Any of the above sound familiar to you?

taharka

Lexington, Kentucky U.S.A.