Help identify this firewall message

Archived from groups: alt.comp.networking.firewalls,alt.os.linux.mandrake,comp.os.linux.setup,comp.security.firewalls (More info?)

Hi,
I use Mandrake 10 community (kernel 2.6.3) with shorewall 2.0.0.b firewall
on a stand alone PC.
I'm connected to the Internet via an ADSL connection using rp-pppoe.
The ADSL modem is connected to eth1 (eth0 is not connected and currently
not used) which is configured for a static 192.168.1.X IP address
(255.255.255.0 mask).

MY ISP's IP addresses are: 192.114.47.4 (P) & 192.117.47.52 (S).

Whenever I'm connected to the Internet (ppp0 present) my log file files
(about every second) with the following entry:

"Apr 10 07:04:18 localhost kernel: Shorewall:newnotsyn:DROP:
IN=ppp0 OUT= MAC= SRC=192.114.47.51 DST=192.115.16.120 LEN=52 TOS=0x00
PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8080 DPT=33167 WINDOW=5840 RES=0x00
ACK SYN URGP=0"

CVAn somebody help me identufying ther source of this message and/or the
target IP (192.115.16.120)?

TIA
2 answers Last reply
More about help identify firewall message
  1. Archived from groups: alt.comp.networking.firewalls,alt.os.linux.mandrake,comp.os.linux.setup,comp.security.firewalls (More info?)

    On Sat, 10 Apr 2004 18:54:31 +0300, Michael Badt sputtered:

    > I use Mandrake 10 community (kernel 2.6.3) with shorewall 2.0.0.b
    > firewall on a stand alone PC. I'm connected to the Internet via an
    > ADSL connection using rp-pppoe. The ADSL modem is connected to eth1
    > (eth0 is not connected and currently not used) which is configured for
    > a static 192.168.1.X IP address (255.255.255.0 mask).

    > MY ISP's IP addresses are: 192.114.47.4 (P) & 192.117.47.52 (S).

    Those are their DNS server addresses, I presume?

    moon@tvbox:~$ host 192.114.47.4
    4.47.114.192.in-addr.arpa domain name pointer ns1.actcom.net.il.

    Yup. ;)

    > Whenever I'm connected to the Internet (ppp0 present) my log file
    > files (about every second) with the following entry:

    > "Apr 10 07:04:18 localhost kernel: Shorewall:newnotsyn:DROP: IN=ppp0
    > OUT= MAC= SRC=192.114.47.51 DST=192.115.16.120 LEN=52 TOS=0x00
    > PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8080 DPT=33167 WINDOW=5840
    > RES=0x00 ACK SYN URGP=0"

    > CVAn somebody help me identufying ther source of this message and/or
    > the target IP (192.115.16.120)?

    Sure. Heck, you can even do it yourself ...

    moon@tvbox:~$ host 192.114.47.51
    51.47.114.192.in-addr.arpa domain name pointer proxy2.actcom.co.il.

    The source appears to be a proxy server at your ISP, running on port
    8080. The packet *appears* to be a response from this proxy server to a
    connection initiated from the 192.155.16.120 address.

    moon@tvbox:~$ host 192.115.16.120
    Host 120.16.115.192.in-addr.arpa not found: 3(NXDOMAIN)

    OK, whoever this is has no resolvable hostname. That doesn't - in and of
    itself - mean a whole lot, plenty of systems aren't listed in DNS for
    any number of perfectly valid reasons.

    So, let's try a different tack:

    moon@tvbox:~$ whois 192.115.16.120
    % This is the RIPE Whois server.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/ripencc/pub-services/db/copyright.html

    inetnum: 192.115.16.0 - 192.115.31.255
    netname: ACTCOM-NET-BLOCK3
    descr: Actcom - Active Communication Ltd.
    country: IL
    admin-c: AH1743-RIPE
    tech-c: AH1743-RIPE
    status: ASSIGNED PA
    mnt-by: MAINT-AS4148
    changed: genah@actcom.co.il 20030821
    source: RIPE

    route: 192.115.16.0/20
    descr: ACTCOM - Active Communications Ltd.
    Haifa Tower, 63a Herzl St
    Haifa, Israel
    origin: AS4148
    mnt-by: MAINT-AS4148
    changed: vects@actcom.net.il 20020407
    source: RIPE

    person: ACTCOM's Hostmaster
    address: ACTCOM - Active Communication Ltd.
    address: P.O.Box 5402
    address: Haifa 31054
    address: Israel
    phone: +972 4 8300123
    fax-no: +972 4 8676088
    e-mail: domain@actcom.co.il
    nic-hdl: AH1743-RIPE
    changed: genah@actcom.net.il 20030821
    source: RIPE

    Hey, whaddaya know, your ISP owns that netblock also. The question is,
    why are you even seeing this packet on your wire? I'm thinking some kind
    of a routing problem at your ISP is to blame here. When you run (at a
    prompt) the command "/sbin/ifconfig ppp0" while connected, what do you
    get in response? Are either of the IP addresses there 192.115.16.120?

    --
    Bill Mullen moon@lunarhub.com MA, USA RLU #270075 MDK 8.1 & 9.0
    "In communities where men build ships for their own sons to fish or
    fight from, quality is never a problem." -- J. A. Dever
  2. Archived from groups: alt.comp.networking.firewalls,alt.os.linux.mandrake,comp.os.linux.setup,comp.security.firewalls (More info?)

    Michael Badt wrote:

    >Hi,
    >I use Mandrake 10 community (kernel 2.6.3) with shorewall 2.0.0.b firewall
    >on a stand alone PC.
    >I'm connected to the Internet via an ADSL connection using rp-pppoe.
    >The ADSL modem is connected to eth1 (eth0 is not connected and currently
    >not used) which is configured for a static 192.168.1.X IP address
    >(255.255.255.0 mask).
    >
    >MY ISP's IP addresses are: 192.114.47.4 (P) & 192.117.47.52 (S).
    >
    >Whenever I'm connected to the Internet (ppp0 present) my log file files
    >(about every second) with the following entry:
    >
    >"Apr 10 07:04:18 localhost kernel: Shorewall:newnotsyn:DROP:
    >IN=ppp0 OUT= MAC= SRC=192.114.47.51 DST=192.115.16.120 LEN=52 TOS=0x00
    >PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8080 DPT=33167 WINDOW=5840 RES=0x00
    >ACK SYN URGP=0"
    >
    >CVAn somebody help me identufying ther source of this message and/or the
    >target IP (192.115.16.120)?

    The reason you're getting this message is because you probably haven't
    configured Shorewall to accept established and/or related packets for
    your ISP's proxy server. It's complaining about receiving a new TCP
    packet without the proper SYN flag.

    The target (DST) IP is (of course) you.
Ask a new question

Read More

Firewalls Internet Service Providers Linux Networking