[KLUG Members] Re: Shorewall.log file analysis help

[Adam Williams]

> >> SRC=203.121.145.128 	The IP address of the packet source host
> >> DST=12.249.253.250 	The IP address of the packet destination (eth0)
> >Both of these are public addresses.  Do you expect to be routing between
> >two public networks?
> >> DPT=21 	Destination Port number used by ftp	listening daemon
> Adam,
> No, I do not plan on routing between two public networks. I wouldn't want to
> put any Internet backbone routers out of work :)
> On this broadband cable firewall/router, the routing occurs between the
> external network interface (eth0-12.249.253.0/24) and the internal network
> interface (eth1-192.168.5.0/24).

So, since one of the above addresses was you external interface I'd
wager someone either (a) is scanning for FTP servers or (b) fat-fingered
a DNS or host entry somewhere.

> In the firewall log file entry I broke down, the incoming ftp packet was
> dropped at the external interface. But the packet did have to be read by the
> firewall to know that it should be dropped. From what I have read, carefully
> crafted packets seem to be the vector used to exploit many vulnerabilities.
> If reading a packet containing malicious data in an IP header field can
> cause a buffer over run, I suspect my firewall could be compromised.

It can theoretically, people try to crack the stack, without depending
on any running service.  But usually such a technique only allows them
to DOS the machine, not gain conrol (although their are exceptions).  I
wouldn't worry about it unless you have other reasons to be supicious. 
A current iptables firewall is pretty hard to breach.

> Your TCP/IP presentation to KLUG did include an explanation of the parameter
> window=XXXX, but I have not been able to find any good references concerning
> the significance of the rest of these mysterious IP fields. Consequently, I
> don't know which fields I should be watching closely in my log files.

You need the white hard-cover TCP/IP networking book with the red swirl
on the spine and cover.  By Addison?  I can't recall and don't have it
handy here.  Unfortunately most TCP/IP books around are just worthless
"intro to IP networking" crap.