[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  taharka <res00vl8 at alltel dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Need some help understanding why certain traffic is being blocked.
 Date:  Mon, 4 Apr 2005 16:54:47 -0400
Well..I did the whois thing too and got the same info...Thanks.

> Any of the above sound familiar to you?
No..don't really know who above.net is.

I went one step futher and poked the IP into a browser url, since it
was port 80 traffic. All I got was a blanl page. not even any source
code. I suspect probably some kinds of pop-up.

I still don't understand why m0n0wall block the outbound traffic
though. The only think I can think of is possibly an out of sync
packet, since m0n0wall is stateful. ???

- Don

On Apr 4, 2005 4:18 PM, taharka <res00vl8 at alltel dot net> wrote:
> Don Munyak wrote:
> 
> >I have noticed the following rule in ipfstat -nio
> >
> >@17 block in log quick proto tcp from any to any
> >
> >We are getting the following block traffic log:
> >
> >Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:03.793845 rl1 @0:17 b
> >192.168.222.187,1677 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
> >Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.135305 rl1 @0:17 b
> >192.168.222.187,1675 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
> >Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.223278 rl1 @0:17 b
> >192.168.222.187,1678 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
> >Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.326783 rl1 @0:17 b
> >192.168.222.187,1679 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
> >Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.569712 rl1 @0:17 b
> >192.168.222.187,1680 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
> >Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.749627 rl1 @0:17 b
> >192.168.222.187,1683 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
> >Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.971438 rl1 @0:17 b
> >192.168.222.187,1685 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
> >Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:05.060978 rl1 @0:17 b
> >192.168.222.187,1684 -> 129.42.40.230,80 PR tcp len 20 40 -AF IN
> >Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:05.151938 rl1 @0:17 b
> >192.168.222.187,1686 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
> >Apr  4 23:13:21 m0n0wall ipmon[78]: 23:13:20.748817 rl1 @0:17 b
> >192.168.222.187,1692 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
> >Apr  4 23:13:21 m0n0wall ipmon[78]: 23:13:21.339997 rl1 @0:17 b
> >192.168.222.187,1696 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
> >
> >rl1 is the LAN gateway interface
> >xl1 is the WAN interface
> >r10 is DMZ interface (not being used)
> >
> >I am unable to determine who 216.200.68.4 is.
> >192.168.222.187 is one of our LAN client PC's.
> >
> >The only traffic I am blocking at the LAN interface is telnet and 445.
> >Why then are these packets being blocked.
> >Is there a simple expalnation or do I need to provide more information ?
> >
> >I am also seeing the same kind of blocks for another "server" which we
> >are using for a ASP web application.
> >
> >TIA,
> >
> >- Don
> >
> >
> >
> Here's what whois has to say regarding 216.200.68.4 & above.net.
> 
> [Querying whois.arin.net]
> [whois.arin.net]
> Abovenet Communications, Inc ABOVENET-5 (NET-216-200-0-0-1)
>                                   216.200.0.0 - 216.200.255.255
> SPEEDERA NETWORKS, ABOV-D277-216-200-68-0-24 (NET-216-200-68-0-1)
>                                   216.200.68.0 - 216.200.68.255
> 
> # ARIN WHOIS database, last updated 2005-04-03 19:10
> # Enter ? for additional hints on searching ARIN's WHOIS database.
> 
> Registrant:
> AboveNet Communications, Inc.
>    50 West San Fernando St., Suite 1010
>    San Jose, CA 95113
>    US
> 
>    Domain Name: ABOVE.NET
> 
>    Administrative Contact:
>       AboveNet Communications, Inc.        dns at ABOVE dot NET
>       50 W SAN FERNANDO ST STE 1010
>       SAN JOSE, CA 95113-2414
>       US
>       408-367-6666 fax: 408-367-6688
> 
>    Technical Contact:
>       AboveNet Communications, Inc.        dns at ABOVE dot NET
>       AboveNet Communications, Inc.
>       50 W SAN FERNANDO ST STE 1010
>       SAN JOSE, CA 95113-2414
>       US
>       408-367-6673 fax: 408-367-6688
> 
>    Record expires on 10-Jun-2014.
>    Record created on 09-Jun-1996.
>    Database last updated on 4-Apr-2005 16:03:31 EDT.
> 
>    Domain servers in listed order:
> 
>    NS.ABOVE.NET                 207.126.96.162
>    NS3.ABOVE.NET                207.126.105.146
> 
> Any of the above sound familiar to you?
> 
> taharka
> 
> Lexington, Kentucky U.S.A.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>