[KLUG Members] Re: Shorewall.log file analysis help

[Bob Kanaley]

>> SRC=203.121.145.128 	The IP address of the packet source host
>> DST=12.249.253.250 	The IP address of the packet destination (eth0)
>
>Both of these are public addresses.  Do you expect to be routing between
>two public networks?
>
>> DPT=21 	Destination Port number used by ftp	listening daemon

Adam,

No, I do not plan on routing between two public networks. I wouldn't want to
put any Internet backbone routers out of work :)

On this broadband cable firewall/router, the routing occurs between the
external network interface (eth0-12.249.253.0/24) and the internal network
interface (eth1-192.168.5.0/24).

In the firewall log file entry I broke down, the incoming ftp packet was
dropped at the external interface. But the packet did have to be read by the
firewall to know that it should be dropped. From what I have read, carefully
crafted packets seem to be the vector used to exploit many vulnerabilities.
If reading a packet containing malicious data in an IP header field can
cause a buffer over run, I suspect my firewall could be compromised.

Since a lot can happen in a short time on a 3MB/sec cable broadband
connection, I don't want to miss any sophisticated attacks on my firewall
that might include malicious data in TCP/IP fields that could end up
compromising my security.

Your TCP/IP presentation to KLUG did include an explanation of the parameter
window=XXXX, but I have not been able to find any good references concerning
the significance of the rest of these mysterious IP fields. Consequently, I
don't know which fields I should be watching closely in my log files.

Any pointers would be greatly appreciated.

Bob

Robert V. Kanaley
Manager Information Systems
Agdia, Inc.
rvk@agdia.com
http://www.agdia.com