Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

68.0.0.0/8 illegal?



Since I rebuilt my machine, I've been seeing a ton of denies in
/var/log/messages that didn't really make sense to me.  I think I
finally figured out why it's happening, but it doesn't make sense.

I built my rc.firewall from Robert Ziegler's site
(http://www.linux-firewall-tools.com/). I noticed a lot of lines in it
in this section:

    # refuse addresses defined as reserved by the IANA
    # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
    # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
    # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
...
    ipchains -A input  -i $EXTERNAL_INTERFACE  \
             -s 58.0.0.0/7 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE  \
             -s 60.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE  \
             -s 65.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE  \
             -s 66.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE  \
             -s 67.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE  \
             -s 68.0.0.0/8 -j DENY -l
...

The /var/log/messages lines look like:
Apr 22 04:02:47 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.92.67.47:\
2996 24.91.178.175:25 L=44 S=0x00 I=26223 F=0x4000 T=56 SYN (#32)
Apr 22 04:02:50 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.92.67.47:\
2996 24.91.178.175:25 L=44 S=0x00 I=26224 F=0x4000 T=56 SYN (#32)
Apr 22 04:02:56 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.92.67.47:\
2996 24.91.178.175:25 L=44 S=0x00 I=26225 F=0x4000 T=56 SYN (#32)
Apr 22 04:03:08 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.92.67.47:\
2996 24.91.178.175:25 L=44 S=0x00 I=26228 F=0x4000 T=56 SYN (#32)
Apr 22 04:03:32 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.92.67.47:\
2996 24.91.178.175:25 L=44 S=0x00 I=26230 F=0x4000 T=56 SYN (#32)
Apr 22 04:09:40 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.31.62.190\
:34979 24.91.178.175:25 L=60 S=0x00 I=0 F=0x4000 T=60 SYN (#32)

Apr 22 05:44:58 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.30.159.83\
:13943 24.91.178.175:25 L=60 S=0x00 I=5818 F=0x4000 T=58 SYN (#32)
Apr 22 05:45:01 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.30.159.83\
:13943 24.91.178.175:25 L=60 S=0x00 I=5819 F=0x4000 T=58 SYN (#32)
Apr 22 05:45:07 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.30.159.83\
:13943 24.91.178.175:25 L=60 S=0x00 I=5820 F=0x4000 T=58 SYN (#32)
Apr 22 05:45:19 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.30.159.83\
:13943 24.91.178.175:25 L=60 S=0x00 I=5821 F=0x4000 T=58 SYN (#32)
Apr 22 05:45:43 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.30.159.83\
:13943 24.91.178.175:25 L=60 S=0x00 I=5822 F=0x4000 T=58 SYN (#32)

Apr 22 06:02:47 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.92.67.47:\
3005 24.91.178.175:25 L=44 S=0x00 I=26877 F=0x4000 T=56 SYN (#32)
Apr 22 06:02:50 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.92.67.47:\
3005 24.91.178.175:25 L=44 S=0x00 I=26878 F=0x4000 T=56 SYN (#32)
Apr 22 06:02:56 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.92.67.47:\
3005 24.91.178.175:25 L=44 S=0x00 I=26879 F=0x4000 T=56 SYN (#32)
Apr 22 06:03:08 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.92.67.47:\
3005 24.91.178.175:25 L=44 S=0x00 I=26881 F=0x4000 T=56 SYN (#32)
Apr 22 06:03:32 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.92.67.47:\
3005 24.91.178.175:25 L=44 S=0x00 I=26883 F=0x4000 T=56 SYN (#32)
Apr 22 06:09:41 kramer kernel: Packet log: input DENY eth0 PROTO=6
66.31.62.190\
:34984 24.91.178.175:25 L=60 S=0x00 I=0 F=0x4000 T=60 SYN (#32)

So I'm thinking since these addresses seem to whois to real ISP's, that
these are valid addresses that I should NOT be blocking.

On the other hand, I think the SYN flag either means they initiated the
conversation, or that they are trying to do a syn flood on my box. 
Given that I only see like 10 in a row, I doubt the latter.

Thoughts?  Thanks.
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org