[ previous ] [ next ] [ threads ]
 
 From:  "Baity Fish" <holycarp00 at hotmail dot com>
 To:  sonicsai at gmail dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Beta 1.3b1 Unusual Firewall Log Entries Since Upgrade
 Date:  Mon, 18 Dec 2006 14:15:36 -0800
>your ISP should not be sending packets like that to you. very strange.

It continues today as well, consuming most of the log.  I thought to do a 
tracert and found it to be like you said, from my ISP, Time Warner Cable:

Tracing route to 172.21.110.70 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  MY-GATEWAY-IP [192.168.X.X]
  2     6 ms     6 ms    11 ms  10.245.112.1
  3     6 ms     *        6 ms  gig2-2.lkwdca1-rtr1.socal.rr.com 
[76.166.2.96]
  4     7 ms     *        *     tge7-1.cyprca1-rtr1.socal.rr.com 
[76.166.1.37]
  5     8 ms     *        6 ms  tge8-1.cyprca1-rtr3.socal.rr.com 
[76.166.1.39]
  6     8 ms     *        5 ms  tge1-1.cyprca1-rtr4.socal.rr.com 
[76.166.2.178]
  7    26 ms    12 ms    16 ms  tge2-3-0.TUSTCA1-RTR1.socal.rr.com 
[66.75.161.205]
  8    13 ms    13 ms    13 ms  POS4-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.193]
  9    17 ms    17 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com 
[66.75.161.162]
10    12 ms    13 ms    14 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.161]
11    18 ms    17 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com 
[66.75.161.162]
12    20 ms    13 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.161]
13    16 ms    18 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com 
[66.75.161.162]
14    13 ms    13 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.161]
15    17 ms    17 ms    18 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com 
[66.75.161.162]
16    13 ms    14 ms    15 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.161]
17    18 ms    18 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com 
[66.75.161.162]
18    16 ms    13 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.161]
19    18 ms    19 ms    18 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com 
[66.75.161.162]
20    13 ms    13 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.161]
21    18 ms    17 ms    18 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com 
[66.75.161.162]
22    14 ms    14 ms    14 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.161]
23    17 ms    18 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com 
[66.75.161.162]
24    13 ms    13 ms    14 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.161]
25    18 ms    17 ms    18 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com 
[66.75.161.162]
26    16 ms    13 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.161]
27    16 ms    17 ms    20 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com 
[66.75.161.162]
28    13 ms    15 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.161]
29    17 ms    17 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com 
[66.75.161.162]
30    14 ms    14 ms    15 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com 
[66.75.161.161]

Trace complete.

>I would suspect that you are only taking a close look at the logs
>because of the updates and would have missed these  entries otherwise.

True, but the timing was just good enough to fool me.  It's possible that 
there were some of these previously, few enough that I missed them on a 
random look-see, but now they're hard to miss, taking up 87% of the last 
nine hours/1000 firewall log entries.

Maybe Time Warner is probing for something?  I need to get my syslog server 
back up.  Thanks for the help.