Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Linksys BEFSR41v4: When is a firewall not a firewall?



On Tue, Jul 28, 2009 at 11:55:11AM -0400, Don Levey wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I've got the above-mentioned Linksys/Cisco broadband router/firewall at
> home, and have it set up  to reject all connections except on a few
> well-specified ports.  It has otherwise been working just fine: I have
> several machines behind it, and traffic gets directed to the proper
> machine whenever necessary.  It seemed that all improper traffic was
> stopped there, but in the past week or so I've seen what look like
> probing attacks from Korea that show up in my logwatch report from one
> of my machines:
> 
>     From 218.75.144.6 - 284 packets
>        To 192.168.1.80 - 284 packets
>           Service: amt-esd-prot (udp/1082) (REJECT-KOREATELECOM-01-) - 1
> packet
>           Service: indigo-server (udp/1176) (REJECT-KOREATELECOM-01-) -
> 1 packet
>           Service: krb5gatekeeper (udp/1318) (REJECT-KOREATELECOM-01-) -
> 1 packet
>           Service: cadkey-licman (udp/1399) (REJECT-KOREATELECOM-01-) -
> 1 packet
>           Service: laplink (udp/1547) (REJECT-KOREATELECOM-01-) - 1 packet
>           Service: citynl (udp/1729) (REJECT-KOREATELECOM-01-) - 1 packet
>           Service: can-dch (udp/1919) (REJECT-KOREATELECOM-01-) - 1 packet
>           Service: teleniumdaemon (udp/2060) (REJECT-KOREATELECOM-01-) -
> 1 packet
>           Service: infowave (udp/2082) (REJECT-KOREATELECOM-01-) - 1 packet
>           Service: foliocorp (udp/2242) (REJECT-KOREATELECOM-01-) - 1 packet
>           Service: 2564 (udp/2564) (REJECT-KOREATELECOM-01-) - 1 packet
> 
> and so on...
> 
> I've got iptables set up on this machine to reject outright (and log)
> all traffic from this netblock.  I have similar rules on other machines
> in the network, but only this ONE machine shows such connection
> attempts.  The ports in question are NOT covered by the "pass" rules in
> the Linksys, and so I previously would have said that they should have
> been rejected before they even get to the machine in question.
> 
> So the questions are:
> Why are these attempts getting past the Linksys in the first place, and
> How are they being directed to this one machine?

Odds are very good that your Linksys has designated this one
machine's IP address as the place to send odd UDP packets,
perhaps on behalf of a VPN hole or ping hole?  Does the IP
appear in any field on the linksys's config?

-dsr-



-- 
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.

You can't defend freedom by getting rid of it.






BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org