|
Posted by Moe Trin on September 3, 2006, 12:44 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On 2 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
wrote:
>Let me start by saying I know nothing about firewalls and ports.
>However I have just started looking at the router logs on my wireless
>network. And I'm a little worried. For example I seem to be getting
>masses of Access Frowards from an almost sequential list of ports i.e:
>
>116|09/02/2006 15:24:28 |192.168.1.34:1591 |69.16.237.154:80
[compton ~]$ host 69.16.237.154
154.237.16.69.IN-ADDR.ARPA domain name pointer host1.ephotozine.com
[compton ~]$
>|ACCESS FORWARD
> Firewall default policy: TCP (L to W)
Someone surfing. The multiple access is because they are retrieving
multiple pages. It's from your wireless side, going out to the world.
>To my untrained eye, it seems odd that this access just goes through
>all the available ports (I have many more logs - it seemed to start
>with port 1028 and goes up to 4999 before starting again).
Normal - the single web page contains a number of URLs, and each has to
be retrieved separately.
>This is keeping the router busy all the time with up to 10 accesses per
>minute solidly throughout the day.
Are you the one accessing these sites, or are you acting as a public hot
spot because you left the router in the default condition?
>Is this normal?
For a system in use? Sure.
>Some of the destination ips seem to be expected (Google etc) others just
>point mysteriously at RIPE.NET or LIQUIDWEB.COM which we haven't knowingly
>visited but maybe they are adverts or something?
Or maybe the tool you are using to identify the names of sites is not the
right one to be using. 'RIPE.NET' is actually 'Reseaux IP Europeens'
which is the European regional Internet Registrar - one of the Internet
agencies that allocates IP addresses. "LIQUIDWEB.COM" is a bandwidth
provider in Lansing, Michigan (roughly half way between Toronto and
Chicago). They happen to "own" the netspace used by that ephotozine.com
host.
[compton ~]$ arinwhois 69.16.237.154
[whois.arin.net]
OrgName: Liquid Web, Inc.
OrgID: LQWB
Address: 4210 Creyts Rd.
City: Lansing
StateProv: MI
PostalCode: 48917
Country: US
NetRange: 69.16.192.0 - 69.16.255.255
CIDR: 69.16.192.0/18
NetName: LIQUIDWEB-4
[...]
[compton ~]$
>Am I worrying unncessarily?
If the local source of the requests (192.168.1.34) is your system, OR if
you are intentionally running a public hot-spot - probably OK. If this is
not the case, yeah you may have a problem. Remember that most windoze
style networking setups are configured such that anyone can use them out
of the box. Security is intentionally disabled because most users don't
want to read the crappy manual that came with the product, and the product
manufacturer saved money by not providing clear instructions of how to
set things up securely because they knew no one is interested.
Old guy
| 
XML site map