Help identify this firewall message

Archived from groups: alt.comp.networking.firewalls,alt.os.linux.mandrake,comp.os.linux.setup,comp.security.firewalls (More info?)

On Sat, 10 Apr 2004 18:54:31 +0300, Michael Badt sputtered:

> I use Mandrake 10 community (kernel 2.6.3) with shorewall 2.0.0.b
> firewall on a stand alone PC. I'm connected to the Internet via an
> ADSL connection using rp-pppoe. The ADSL modem is connected to eth1
> (eth0 is not connected and currently not used) which is configured for
> a static 192.168.1.X IP address (255.255.255.0 mask).

> MY ISP's IP addresses are: 192.114.47.4 (P) & 192.117.47.52 (S).

Those are their DNS server addresses, I presume?

moon@tvbox:~$ host 192.114.47.4
4.47.114.192.in-addr.arpa domain name pointer ns1.actcom.net.il.

Yup.

> Whenever I'm connected to the Internet (ppp0 present) my log file
> files (about every second) with the following entry:

> "Apr 10 07:04:18 localhost kernel: Shorewall:newnotsynROP: IN=ppp0
> OUT= MAC= SRC=192.114.47.51 DST=192.115.16.120 LEN=52 TOS=0x00
> PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8080 DPT=33167 WINDOW=5840
> RES=0x00 ACK SYN URGP=0"

> CVAn somebody help me identufying ther source of this message and/or
> the target IP (192.115.16.120)?

Sure. Heck, you can even do it yourself ...

moon@tvbox:~$ host 192.114.47.51
51.47.114.192.in-addr.arpa domain name pointer proxy2.actcom.co.il.

The source appears to be a proxy server at your ISP, running on port
8080. The packet *appears* to be a response from this proxy server to a
connection initiated from the 192.155.16.120 address.

moon@tvbox:~$ host 192.115.16.120
Host 120.16.115.192.in-addr.arpa not found: 3(NXDOMAIN)

OK, whoever this is has no resolvable hostname. That doesn't - in and of
itself - mean a whole lot, plenty of systems aren't listed in DNS for
any number of perfectly valid reasons.

So, let's try a different tack:

moon@tvbox:~$ whois 192.115.16.120
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-se [...] right.html

inetnum: 192.115.16.0 - 192.115.31.255
netname: ACTCOM-NET-BLOCK3
descr: Actcom - Active Communication Ltd.
country: IL
admin-c: AH1743-RIPE
tech-c: AH1743-RIPE
status: ASSIGNED PA
mnt-by: MAINT-AS4148
changed: genah@actcom.co.il 20030821
source: RIPE

route: 192.115.16.0/20
descr: ACTCOM - Active Communications Ltd.
Haifa Tower, 63a Herzl St
Haifa, Israel
origin: AS4148
mnt-by: MAINT-AS4148
changed: vects@actcom.net.il 20020407
source: RIPE

person: ACTCOM's Hostmaster
address: ACTCOM - Active Communication Ltd.
address: P.O.Box 5402
address: Haifa 31054
address: Israel
phone: +972 4 8300123
fax-no: +972 4 8676088
e-mail: domain@actcom.co.il
nic-hdl: AH1743-RIPE
changed: genah@actcom.net.il 20030821
source: RIPE

Hey, whaddaya know, your ISP owns that netblock also. The question is,
why are you even seeing this packet on your wire? I'm thinking some kind
of a routing problem at your ISP is to blame here. When you run (at a
prompt) the command "/sbin/ifconfig ppp0" while connected, what do you
get in response? Are either of the IP addresses there 192.115.16.120?

--
Bill Mullen moon@lunarhub.com MA, USA RLU #270075 MDK 8.1 & 9.0
"In communities where men build ships for their own sons to fish or
fight from, quality is never a problem." -- J. A. Dever