[ previous ] [ next ] [ threads ]
 
 From:  "Baity Fish" <holycarp00 at hotmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Beta 1.3b1 Unusual Firewall Log Entries Since Upgrade
 Date:  Sun, 17 Dec 2006 23:00:44 -0800
Many, many thanks for the continued development of m0n0wall, Manuel, Dinesh, 
and everyone else who has contributed to the project.  I have just made a 
donation to drive home that fact.  m0n0wall has been protecting my home 
network since pb26 and I love it.  Keep up the great work.

Roughly 24 hours since upgrading here and most everything seems fine.  It 
may be coincidence but I have a few odd Firewall Log entries that I haven't 
seen until upgrading from v1.23b1 (generic PC w/ Transcend IDE Compact 
Flash).  They are a few private 172.21.x.x addresses trying to access the 
WAN-IP such as:

19:18:57.325965 xl0 @0:16 b 172.21.110.80,11019 -> WAN-IP,18971 PR tcp len 
20 40 -R IN
19:16:57.251120 xl0 @0:16 b 172.21.52.58,11083 -> WAN-IP,18966 PR tcp len 20 
40 -R IN

In a recent five hour period:
Sources:
172.21.11.70:11083
172.21.21.46:11083
172.21.21.52:11189
172.21.52.58:11083
172.21.109.78:11019
172.21.110.80:11019

Target:
WAN-IP ports 18916-19167 (greater than 400 occurrances)

As a precaution I made a firewall rule to Block 172.21.0.0/16 just in case 
it's something sinister.  It's very possible that I'm wrong on that but I'm 
not TOO well versed in networkese and got the rule wrong for blocking 
172.21.0.0-172.21.255.255  FWIW, my LAN and DMZ are both 192.168.x.x

I don't run a syslog server but occasionally glance at the logs (set to 1000 
entries) and have never seen anything like this until the upgrade so that's 
why I'm leaning toward it being related to v.13b1