[SunRescue] OT (?) - Strange NAT logging

[Chris Byrne]

David,

The best place to bring up issues like this is incidents at securityfocus.com

As far as the trace goes, I wouldnt trust the sorce IP address. It's most
likely spoofed. Start sniffing the packets and take a look at flags. Also
make sure that the routes you think your packets should be taking, are the
routes they actually take.

Chris Byrne

-----Original Message-----
From: rescue-admin at sunhelp.org [mailto:rescue-admin at sunhelp.org]On
Behalf Of David Rouse
Sent: Friday, March 30, 2001 12:20
To: SunRescue List
Subject: [SunRescue] OT (?) - Strange NAT logging


This is a bit off-topic even for Rescue, but I value you guys' experience.

At work we use incoming and outgoing packet filter sets for our DMZ (the
fiilters cover the WAN port) and NAT for our internal computers. Lately I've
been getting odd entries on our outbound filters:

Mar 30 15:01:15 gateway1 IP FILTER: 'News-Argus OUT' rule# 12: deny:
src=xx.xx.xx.62(1024) dst=202.98.123.68(23) proto=6

The xx.xx.xx.62 is one of our NAT addresses. The outside address belongs to
some Chinese computer.

Thinking that one of our internal computers was for some reason trying to
connect to that CN box, I put a logging filter on port 23 on the inbound
side of the ethernet port that attaches to our internal network. I tested
the filter and it does log port 23 connections from inside, but none of the
CN stuff does. It's as if the router itself, using one of the NAT addresses,
is trying to connect to the CN box.

Anyone have an idea of what this might mean, I've looked around but this
doesn't seem to be covered anywhere. Also, if you guys have a better idea of
a forum to bring this up in, please let me know.

Thanks.

--
drouse
--
David Rouse                            * Our World - Your World - RouseWorld
david at rouseworld.org                   * www.rouseworld.org

_______________________________________________
rescue maillist  -  rescue at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/rescue