Linksys BEFSR41v4: When is a firewall not a firewall?

Don Levey lug-TwWeWiF2EGRi+ztankeudA at public.gmane.org
Tue Jul 28 11:55:11 EDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've got the above-mentioned Linksys/Cisco broadband router/firewall at
home, and have it set up  to reject all connections except on a few
well-specified ports.  It has otherwise been working just fine: I have
several machines behind it, and traffic gets directed to the proper
machine whenever necessary.  It seemed that all improper traffic was
stopped there, but in the past week or so I've seen what look like
probing attacks from Korea that show up in my logwatch report from one
of my machines:

    From 218.75.144.6 - 284 packets
       To 192.168.1.80 - 284 packets
          Service: amt-esd-prot (udp/1082) (REJECT-KOREATELECOM-01-) - 1
packet
          Service: indigo-server (udp/1176) (REJECT-KOREATELECOM-01-) -
1 packet
          Service: krb5gatekeeper (udp/1318) (REJECT-KOREATELECOM-01-) -
1 packet
          Service: cadkey-licman (udp/1399) (REJECT-KOREATELECOM-01-) -
1 packet
          Service: laplink (udp/1547) (REJECT-KOREATELECOM-01-) - 1 packet
          Service: citynl (udp/1729) (REJECT-KOREATELECOM-01-) - 1 packet
          Service: can-dch (udp/1919) (REJECT-KOREATELECOM-01-) - 1 packet
          Service: teleniumdaemon (udp/2060) (REJECT-KOREATELECOM-01-) -
1 packet
          Service: infowave (udp/2082) (REJECT-KOREATELECOM-01-) - 1 packet
          Service: foliocorp (udp/2242) (REJECT-KOREATELECOM-01-) - 1 packet
          Service: 2564 (udp/2564) (REJECT-KOREATELECOM-01-) - 1 packet

and so on...

I've got iptables set up on this machine to reject outright (and log)
all traffic from this netblock.  I have similar rules on other machines
in the network, but only this ONE machine shows such connection
attempts.  The ports in question are NOT covered by the "pass" rules in
the Linksys, and so I previously would have said that they should have
been rejected before they even get to the machine in question.

So the questions are:
Why are these attempts getting past the Linksys in the first place, and
How are they being directed to this one machine?

Any ideas?

 -Don
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKbx9fiVR8AmYXiFARAthDAJsGwVucGWInwxOqs4TrEbUi3qiujwCgjkJj
QL25/2QOtQiD62MH6dXymYw=
=Byxy
-----END PGP SIGNATURE-----





More information about the Discuss mailing list