[ previous ] [ next ] [ threads ]
 
 From:  sai <sonicsai at gmail dot com>
 To:  "Baity Fish" <holycarp00 at hotmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Beta 1.3b1 Unusual Firewall Log Entries Since Upgrade
 Date:  Mon, 18 Dec 2006 15:38:10 +0500
your ISP should not be sending packets like that to you. very strange.

I would suspect that you are only taking a close look at the logs
because of the updates and would have missed these  entries otherwise.

sai

On 12/18/06, Baity Fish <holycarp00 at hotmail dot com> wrote:
> Many, many thanks for the continued development of m0n0wall, Manuel, Dinesh,
> and everyone else who has contributed to the project.  I have just made a
> donation to drive home that fact.  m0n0wall has been protecting my home
> network since pb26 and I love it.  Keep up the great work.
>
> Roughly 24 hours since upgrading here and most everything seems fine.  It
> may be coincidence but I have a few odd Firewall Log entries that I haven't
> seen until upgrading from v1.23b1 (generic PC w/ Transcend IDE Compact
> Flash).  They are a few private 172.21.x.x addresses trying to access the
> WAN-IP such as:
>
> 19:18:57.325965 xl0 @0:16 b 172.21.110.80,11019 -> WAN-IP,18971 PR tcp len
> 20 40 -R IN
> 19:16:57.251120 xl0 @0:16 b 172.21.52.58,11083 -> WAN-IP,18966 PR tcp len 20
> 40 -R IN
>
> In a recent five hour period:
> Sources:
> 172.21.11.70:11083
> 172.21.21.46:11083
> 172.21.21.52:11189
> 172.21.52.58:11083
> 172.21.109.78:11019
> 172.21.110.80:11019
>
> Target:
> WAN-IP ports 18916-19167 (greater than 400 occurrances)
>
> As a precaution I made a firewall rule to Block 172.21.0.0/16 just in case
> it's something sinister.  It's very possible that I'm wrong on that but I'm
> not TOO well versed in networkese and got the rule wrong for blocking
> 172.21.0.0-172.21.255.255  FWIW, my LAN and DMZ are both 192.168.x.x
>
> I don't run a syslog server but occasionally glance at the logs (set to 1000
> entries) and have never seen anything like this until the upgrade so that's
> why I'm leaning toward it being related to v.13b1
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>