tarballed
April 3rd, 2003, 19:02
Ok, I thought I would post a snip from my firewall log. I wanted to get some feedback on this constant block I receive.
Before I go on, I have to say that the Firewall that we use is decent. I will however, be able to setup a *BSD box with Snort on it and connect it to the Firewall. There is a little utility that will alllow me to do that. But, that is not to come for a bit.
Here is the log:
04/03/03 13:38 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35175 (default)
04/03/03 13:38 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35175 (default)
04/03/03 13:38 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35175 (default)
04/03/03 13:38 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35175 (default)
04/03/03 13:39 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47067 113 syn (default)
04/03/03 13:39 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47078 113 syn (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35204 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35204 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35203 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35203 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35203 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35203 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35203 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 60 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35200 (default)
04/03/03 13:41 firewalld[104]: deny in eth0 63 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35213 (default)
04/03/03 13:41 firewalld[104]: deny in eth0 63 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35213 (default)
04/03/03 13:41 firewalld[104]: deny in eth0 63 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35213 (default)
04/03/03 13:41 firewalld[104]: deny in eth0 63 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35213 (default)
04/03/03 13:42 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47256 113 syn (default)
04/03/03 13:43 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47307 113 syn (default)
04/03/03 13:43 firewalld[104]: deny in eth0 463 udp 20 115 216.55.144.27 209.126.xxx.xxx 1051 135 (default)
04/03/03 13:43 firewalld[104]: deny in eth0 463 udp 20 115 216.55.144.27 209.126.xxx.xxx 1051 135 (default)
04/03/03 13:43 firewalld[104]: deny in eth0 463 udp 20 115 216.55.144.27 209.126.xxx.xxx 1051 135 (default)
04/03/03 13:43 firewalld[104]: deny in eth0 463 udp 20 115 216.55.144.27 209.126.xxx.xxx 1051 135 (default)
04/03/03 13:43 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47349 113 syn (default)
04/03/03 13:44 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47414 113 syn (default)
04/03/03 13:45 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47446 113 syn (default)
I will provide a little info on how to read this:
deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35175 (
Deny--deny packet :)
in -- direction in
interface --firewall interface eth0
Total packet length -- 62
Protocol -- udp
IP Header length -- 20
TTL -- 61
Source address -- 216.98.128.70 <----(Our ISP's DNS server)
Destination address -- 209.126.xxx.xxx <---our firewall IP
Source port -- 53
Destination port -- 35175
Well, thought i'd just throw this out for fun.
Feel free to comment.
Tarballed
Before I go on, I have to say that the Firewall that we use is decent. I will however, be able to setup a *BSD box with Snort on it and connect it to the Firewall. There is a little utility that will alllow me to do that. But, that is not to come for a bit.
Here is the log:
04/03/03 13:38 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35175 (default)
04/03/03 13:38 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35175 (default)
04/03/03 13:38 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35175 (default)
04/03/03 13:38 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35175 (default)
04/03/03 13:39 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47067 113 syn (default)
04/03/03 13:39 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47078 113 syn (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35204 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35204 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35203 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35203 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35203 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35203 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 62 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35203 (default)
04/03/03 13:40 firewalld[104]: deny in eth0 60 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35200 (default)
04/03/03 13:41 firewalld[104]: deny in eth0 63 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35213 (default)
04/03/03 13:41 firewalld[104]: deny in eth0 63 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35213 (default)
04/03/03 13:41 firewalld[104]: deny in eth0 63 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35213 (default)
04/03/03 13:41 firewalld[104]: deny in eth0 63 udp 20 61 216.98.138.70 209.126.xxx.xxx 53 35213 (default)
04/03/03 13:42 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47256 113 syn (default)
04/03/03 13:43 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47307 113 syn (default)
04/03/03 13:43 firewalld[104]: deny in eth0 463 udp 20 115 216.55.144.27 209.126.xxx.xxx 1051 135 (default)
04/03/03 13:43 firewalld[104]: deny in eth0 463 udp 20 115 216.55.144.27 209.126.xxx.xxx 1051 135 (default)
04/03/03 13:43 firewalld[104]: deny in eth0 463 udp 20 115 216.55.144.27 209.126.xxx.xxx 1051 135 (default)
04/03/03 13:43 firewalld[104]: deny in eth0 463 udp 20 115 216.55.144.27 209.126.xxx.xxx 1051 135 (default)
04/03/03 13:43 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47349 113 syn (default)
04/03/03 13:44 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47414 113 syn (default)
04/03/03 13:45 firewalld[104]: deny in eth0 60 tcp 20 61 216.98.128.68 209.126.xxx.xxx 47446 113 syn (default)
I will provide a little info on how to read this:
deny in eth0 62 udp 20 61 216.98.128.70 209.126.xxx.xxx 53 35175 (
Deny--deny packet :)
in -- direction in
interface --firewall interface eth0
Total packet length -- 62
Protocol -- udp
IP Header length -- 20
TTL -- 61
Source address -- 216.98.128.70 <----(Our ISP's DNS server)
Destination address -- 209.126.xxx.xxx <---our firewall IP
Source port -- 53
Destination port -- 35175
Well, thought i'd just throw this out for fun.
Feel free to comment.
Tarballed