Can anyone shed some light on these entries in my Firewall ?

Can anyone shed some light on these entries in my Firewall ?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Can anyone shed some light on these entries in my Firewall ? navti 05-19-2007
Posted by navti on May 19, 2007, 7:31 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Can anyone shed some light on these entries in my Firewall ?

My firewall is set up to block all outbound UDP apart from NTP time
packets,

the host 192.168.0.2 is a mac running OSX 10.4.9

Fri, 2007-05-18 10:26:37 - UDP Packet - Source:192.168.0.2,8198
Destination:67.65.250.199,24882 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:38 - UDP Packet - Source:192.168.0.2,8198
Destination:71.59.25.30,6719 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:38 - UDP Packet - Source:192.168.0.2,8198
Destination:12.206.139.221,59778 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:38 - UDP Packet - Source:192.168.0.2,8198
Destination:71.80.1.166,30069 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:38 - UDP Packet - Source:192.168.0.2,8198
Destination:67.160.106.161,2428 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:46 - UDP Packet - Source:192.168.0.2,8198
Destination:83.20.156.188,65049 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:46 - UDP Packet - Source:192.168.0.2,8198
Destination:83.25.21.190,33025 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:46 - UDP Packet - Source:192.168.0.2,8198
Destination:83.31.133.79,48545 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:46 - UDP Packet - Source:192.168.0.2,8198
Destination:83.6.3.170,38874 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:51 - UDP Packet - Source:192.168.0.2,8198
Destination:83.20.156.188,65049 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:51 - UDP Packet - Source:192.168.0.2,8198
Destination:83.25.21.190,33025 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:56 - UDP Packet - Source:192.168.0.2,8198
Destination:83.20.156.188,65049 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:56 - UDP Packet - Source:192.168.0.2,8198
Destination:83.25.21.190,33025 - [Any(ALL) rule match]
Fri, 2007-05-18 10:27:01 - UDP Packet - Source:192.168.0.2,8198
Destination:83.20.156.188,65049 - [Any(ALL) rule match]
Fri, 2007-05-18 10:27:01 - UDP Packet - Source:192.168.0.2,8198
Destination:83.25.21.190,33025 - [Any(ALL) rule match]
Fri, 2007-05-18 10:27:06 - UDP Packet - Source:192.168.0.2,8198
Destination:83.20.156.188,65049 - [Any(ALL) rule match]
Fri, 2007-05-18 10:27:06 - UDP Packet - Source:192.168.0.2,8198
Destination:83.25.21.190,33025 - [Any(ALL) rule match]
Fri, 2007-05-18 10:27:59 - UDP Packet - Source:192.168.0.2,8198
Destination:144.135.167.129,1307 - [Any(ALL) rule match]


Posted by Moe Trin on May 19, 2007, 12:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On 19 May 2007, in the Usenet newsgroup comp.security.firewalls, in article

>My firewall is set up to block all outbound UDP apart from NTP time
>packets,

You don't use DNS? (outbound to 53, from your any > 1024)?

>the host 192.168.0.2 is a mac running OSX 10.4.9

=============== re-sorted by destination IP ================
12.206.139.221,59778 Mediacom New York state
67.65.250.199,24882 SW Bell dynamic ADSL in Oklahoma state
67.160.106.161,2428 Comcast dynamic Washington state
71.59.25.30,6719 Comcast dynamic Georgia state
71.80.1.166,30069 Charter dynamic Virginia state
83.6.3.170,38874 TPNet.pl "Neostrada Plus" dynamic ADSL
83.20.156.188,65049 TPNet.pl "Neostrada Plus" Poznan, dynamic ADSL
83.25.21.190,33025 TPNet.pl "Neostrada Plus" Rzeszow, dynamic ADSL
83.31.133.79,48545 TPNet.pl "Neostrada Plus" Warszawa, dynamic ADSL
144.135.167.129,1307 Telstra bigpond.com in Oz
===============

Well, the destination addresses are dynamic IPs, almost all residential
systems, with high (dynamic) port numbers. On your end, it's consistent
at port 8198. That port is in the IANA "Registered Port" range, but
that really means anyone can use it for anything. A cursory glance at
the SANS Internet Storm Center (http://isc.sans.org/port.html) doesn't
show that much activity.

As the source is your system, I'd be using something like lsof which
should be available on OSX and find out what application is using port
9198. I'd also look at the 'netstat' and 'ps -awux' outputs.

[compton ~]$ whatis lsof netstat ps
lsof (8) - list open files
netstat (8) - Display network connections, routing tables,
interface statistics, masquerade connections and netlink messages
ps (1) - report process status
[compton ~]$

Old guy


Posted by navti on May 19, 2007, 1:19 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On May 19, 5:03 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:
> On 19 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
>
> >My firewall is set up to block all outbound UDP apart from NTP time
> >packets,
>
> You don't use DNS? (outbound to 53, from your any > 1024)?
>
> >the host 192.168.0.2 is a mac running OSX 10.4.9
>
> =============== re-sorted by destination IP ================
> 12.206.139.221,59778 Mediacom New York state
> 67.65.250.199,24882 SW Bell dynamic ADSL in Oklahoma state
> 67.160.106.161,2428 Comcast dynamic Washington state
> 71.59.25.30,6719 Comcast dynamic Georgia state
> 71.80.1.166,30069 Charter dynamic Virginia state
> 83.6.3.170,38874 TPNet.pl "Neostrada Plus" dynamic ADSL
> 83.20.156.188,65049 TPNet.pl "Neostrada Plus" Poznan, dynamic ADSL
> 83.25.21.190,33025 TPNet.pl "Neostrada Plus" Rzeszow, dynamic ADSL
> 83.31.133.79,48545 TPNet.pl "Neostrada Plus" Warszawa, dynamic ADSL
> 144.135.167.129,1307 Telstra bigpond.com in Oz
> ===============
>
> Well, the destination addresses are dynamic IPs, almost all residential
> systems, with high (dynamic) port numbers. On your end, it's consistent
> at port 8198. That port is in the IANA "Registered Port" range, but
> that really means anyone can use it for anything. A cursory glance at
> the SANS Internet Storm Center (http://isc.sans.org/port.html) doesn't
> show that much activity.
>
> As the source is your system, I'd be using something like lsof which
> should be available on OSX and find out what application is using port
> 9198. I'd also look at the 'netstat' and 'ps -awux' outputs.
>
> [compton ~]$ whatis lsof netstat ps
> lsof (8) - list open files
> netstat (8) - Display network connections, routing tables,
> interface statistics, masquerade connections and netlink messages
> ps (1) - report process status
> [compton ~]$
>
> Old guy

thanks, i used your advice, turned out to be Skype.

re DNS , I use a SOHO firewall/router which does the DNS lookups for
the clients behind it,

it isnt subject to the firewall rules so i can block UDP.


Similar ThreadsPosted
UC-San Diego computer scientists shed light on Internet scams August 18, 2007, 9:25 am
Peculiar firewall log entries...need help interpreting.. January 26, 2005, 7:24 pm
Rec for a firewall that's light on resource-usage August 24, 2005, 10:58 pm
Strange Shorewall Log Entries April 15, 2006, 11:15 am
Network connection light glowing constantly August 27, 2007, 3:15 am
Norton 2005 Internet Worm Protection (Firewall) or Windows XP native firewall? December 11, 2004, 11:19 am
[Newbie alert!] Is the Linksys BEFSX41 hardware Firewall/router a "real" firewall? March 25, 2005, 11:12 am
firewall synchronization not properly working on RainWall/CheckPoint's firewall cluster April 13, 2006, 10:24 am
SP2 Windows Firewall : Can the values of Firewall Settings be read from the Registry? November 6, 2007, 9:10 am
Firewall-1 Licensing Counting Each Interface of Firewall as a Separate Host February 13, 2008, 1:19 am

The site map in XML format XML site map

Contact Us | Privacy Policy