Re: [m0n0wall] Need some help understanding why certain traffic is being blocked.

From:	"Robert Staph" <rstaph at digitalimpreza dot com>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Need some help understanding why certain traffic is being blocked.
Date:	Mon, 4 Apr 2005 17:04:58 -0400
I would pay a visit to the desk of said client PC and find out why its 
contacting a blank page...  It might be a good thing the packets are getting 
blocked ;)


-Rob

----- Original Message ----- 
From: "Don Munyak" <don dot munyak at gmail dot com>
To: "taharka" <res00vl8 at alltel dot net>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Monday, April 04, 2005 4:54 PM
Subject: Re: [m0n0wall] Need some help understanding why certain traffic is 
being blocked.


> Well..I did the whois thing too and got the same info...Thanks.
>
>> Any of the above sound familiar to you?
> No..don't really know who above.net is.
>
> I went one step futher and poked the IP into a browser url, since it
> was port 80 traffic. All I got was a blanl page. not even any source
> code. I suspect probably some kinds of pop-up.
>
> I still don't understand why m0n0wall block the outbound traffic
> though. The only think I can think of is possibly an out of sync
> packet, since m0n0wall is stateful. ???
>
> - Don
>
> On Apr 4, 2005 4:18 PM, taharka <res00vl8 at alltel dot net> wrote:
>> Don Munyak wrote:
>>
>> >I have noticed the following rule in ipfstat -nio
>> >
>> >@17 block in log quick proto tcp from any to any
>> >
>> >We are getting the following block traffic log:
>> >
>> >Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:03.793845 rl1 @0:17 b
>> >192.168.222.187,1677 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>> >Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.135305 rl1 @0:17 b
>> >192.168.222.187,1675 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>> >Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.223278 rl1 @0:17 b
>> >192.168.222.187,1678 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>> >Apr  4 23:13:04 m0n0wall ipmon[78]: 23:13:04.326783 rl1 @0:17 b
>> >192.168.222.187,1679 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>> >Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.569712 rl1 @0:17 b
>> >192.168.222.187,1680 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>> >Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.749627 rl1 @0:17 b
>> >192.168.222.187,1683 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>> >Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:04.971438 rl1 @0:17 b
>> >192.168.222.187,1685 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>> >Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:05.060978 rl1 @0:17 b
>> >192.168.222.187,1684 -> 129.42.40.230,80 PR tcp len 20 40 -AF IN
>> >Apr  4 23:13:05 m0n0wall ipmon[78]: 23:13:05.151938 rl1 @0:17 b
>> >192.168.222.187,1686 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>> >Apr  4 23:13:21 m0n0wall ipmon[78]: 23:13:20.748817 rl1 @0:17 b
>> >192.168.222.187,1692 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>> >Apr  4 23:13:21 m0n0wall ipmon[78]: 23:13:21.339997 rl1 @0:17 b
>> >192.168.222.187,1696 -> 216.200.68.4,80 PR tcp len 20 40 -AF IN
>> >
>> >rl1 is the LAN gateway interface
>> >xl1 is the WAN interface
>> >r10 is DMZ interface (not being used)
>> >
>> >I am unable to determine who 216.200.68.4 is.
>> >192.168.222.187 is one of our LAN client PC's.
>> >
>> >The only traffic I am blocking at the LAN interface is telnet and 445.
>> >Why then are these packets being blocked.
>> >Is there a simple expalnation or do I need to provide more information ?
>> >
>> >I am also seeing the same kind of blocks for another "server" which we
>> >are using for a ASP web application.
>> >
>> >TIA,
>> >
>> >- Don
>> >
>> >
>> >
>> Here's what whois has to say regarding 216.200.68.4 & above.net.
>>
>> [Querying whois.arin.net]
>> [whois.arin.net]
>> Abovenet Communications, Inc ABOVENET-5 (NET-216-200-0-0-1)
>>                                   216.200.0.0 - 216.200.255.255
>> SPEEDERA NETWORKS, ABOV-D277-216-200-68-0-24 (NET-216-200-68-0-1)
>>                                   216.200.68.0 - 216.200.68.255
>>
>> # ARIN WHOIS database, last updated 2005-04-03 19:10
>> # Enter ? for additional hints on searching ARIN's WHOIS database.
>>
>> Registrant:
>> AboveNet Communications, Inc.
>>    50 West San Fernando St., Suite 1010
>>    San Jose, CA 95113
>>    US
>>
>>    Domain Name: ABOVE.NET
>>
>>    Administrative Contact:
>>       AboveNet Communications, Inc.        dns at ABOVE dot NET
>>       50 W SAN FERNANDO ST STE 1010
>>       SAN JOSE, CA 95113-2414
>>       US
>>       408-367-6666 fax: 408-367-6688
>>
>>    Technical Contact:
>>       AboveNet Communications, Inc.        dns at ABOVE dot NET
>>       AboveNet Communications, Inc.
>>       50 W SAN FERNANDO ST STE 1010
>>       SAN JOSE, CA 95113-2414
>>       US
>>       408-367-6673 fax: 408-367-6688
>>
>>    Record expires on 10-Jun-2014.
>>    Record created on 09-Jun-1996.
>>    Database last updated on 4-Apr-2005 16:03:31 EDT.
>>
>>    Domain servers in listed order:
>>
>>    NS.ABOVE.NET                 207.126.96.162
>>    NS3.ABOVE.NET                207.126.105.146
>>
>> Any of the above sound familiar to you?
>>
>> taharka
>>
>> Lexington, Kentucky U.S.A.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>