Re: Log help [resend]

[paul <xml () mailandnews com>]

[resent since it didn't get through first time]
Rhett wrote:

> "How" is this traffic coming through my firewall. I'm not
> allowing port 43545 into this device. This device shouldn't
> be trying to get to any web pages, and I'm not seeing the
> SYN packet attempt on the way out.

I installed honeyd a few days ago and probably came across the
same issue. What's happening is the syn to port 80 comes in and
is sniffed by honeyd's calls to libpcap. Then it sends a syn ack
back to the source, which has the unintended consequence of
opening up a hole in a stateful firewall (iptables in my case).
Then the next packet comes in, is replied to by honeyd, but is
also passed through your firewall to the destination, which
doesn't know about the connection, so resets it.

> Also what do the characters after the port number mean? I believe
> the number is the time the "connection" was used, but is that in
> seconds? What do the last charaters mean SA RA? Why does that differ
> from this entry?

syn+ack, reset+ack

Looking at the source, " S " and " E " are the start and end of a
flow that it is handling, whereas " - " are packets it isn't handling,
but just logging.

To solve the problem, you need to drop all incoming traffic so that
it can't be accepted even if it's in the state table. If you're
using iptables and have no legitimate web servers, then you could
just insert a iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j DROP

You might also like to read this, for more info:
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html

Paul