Linksys BEFSR41v4: When is a firewall not a firewall?

Dan Ritter dsr-mzpnVDyJpH4k7aNtvndDlA at public.gmane.org
Tue Jul 28 12:03:27 EDT 2009 

On Tue, Jul 28, 2009 at 11:55:11AM -0400, Don Levey wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I've got the above-mentioned Linksys/Cisco broadband router/firewall at
> home, and have it set up  to reject all connections except on a few
> well-specified ports.  It has otherwise been working just fine: I have
> several machines behind it, and traffic gets directed to the proper
> machine whenever necessary.  It seemed that all improper traffic was
> stopped there, but in the past week or so I've seen what look like
> probing attacks from Korea that show up in my logwatch report from one
> of my machines:
> 
>     From 218.75.144.6 - 284 packets
>        To 192.168.1.80 - 284 packets
>           Service: amt-esd-prot (udp/1082) (REJECT-KOREATELECOM-01-) - 1
> packet
>           Service: indigo-server (udp/1176) (REJECT-KOREATELECOM-01-) -
> 1 packet
>           Service: krb5gatekeeper (udp/1318) (REJECT-KOREATELECOM-01-) -
> 1 packet
>           Service: cadkey-licman (udp/1399) (REJECT-KOREATELECOM-01-) -
> 1 packet
>           Service: laplink (udp/1547) (REJECT-KOREATELECOM-01-) - 1 packet
>           Service: citynl (udp/1729) (REJECT-KOREATELECOM-01-) - 1 packet
>           Service: can-dch (udp/1919) (REJECT-KOREATELECOM-01-) - 1 packet
>           Service: teleniumdaemon (udp/2060) (REJECT-KOREATELECOM-01-) -
> 1 packet
>           Service: infowave (udp/2082) (REJECT-KOREATELECOM-01-) - 1 packet
>           Service: foliocorp (udp/2242) (REJECT-KOREATELECOM-01-) - 1 packet
>           Service: 2564 (udp/2564) (REJECT-KOREATELECOM-01-) - 1 packet
> 
> and so on...
> 
> I've got iptables set up on this machine to reject outright (and log)
> all traffic from this netblock.  I have similar rules on other machines
> in the network, but only this ONE machine shows such connection
> attempts.  The ports in question are NOT covered by the "pass" rules in
> the Linksys, and so I previously would have said that they should have
> been rejected before they even get to the machine in question.
> 
> So the questions are:
> Why are these attempts getting past the Linksys in the first place, and
> How are they being directed to this one machine?

Odds are very good that your Linksys has designated this one
machine's IP address as the place to send odd UDP packets,
perhaps on behalf of a VPN hole or ping hole?  Does the IP
appear in any field on the linksys's config?

-dsr-



-- 
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.

You can't defend freedom by getting rid of it.

More information about the Discuss mailing list