[Shorewall-users] Help with interpreting log - New Question

Tom Eastep teastep at shorewall.net
Tue Aug 12 15:31:33 PDT 2003


On Mon, 2003-08-11 at 23:14, Cliff wrote:
> Hi Steve,
> 
> Monday, August 11, 2003, 6:51:09 PM, you wrote:
> 
> SL> Does these log entries make sense to anyone?
> SL> Aug 11 19:32:26 localhost kernel: Shorewall:logdrop:DROP:IN=eth0 OUT=
> SL> MAC=ff:ff:ff:ff:ff:ff:00:06:5b:f8:58:1e:08:00 SRC=192.168.1.72
> 
> I see the same sort of thing from 10.0.0.76 port 110 on my ppp0 interface.
> I do not use the 10.x address space on my localnet.
> 
> When I look at my email headers I can see that 10.0.0.74 is
> the address of a working mail server run by my provider.
> 
> So...it appears my provider has a past history
> of using the 10.0.0.x address space for it's servers.
> ..and I'm getting hit on port 110....hmmmmmm.
> 2+2=4?
> 
> Perhaps my provider has a forgottan about some old
> mailsever that was supposed to be taken out of service???

It is perfectly acceptable for an ISP to use RFC 1918 addresses within
their infrastructure. This is pointed out in the QuickStart guides. A
POP3 server that serves customers would be a good choice for such use by
an ISP.

> 
> The firewall denials are much to regular to be
> some sort of spoof attack. They come in groups of
> 4 at seemingly stable intervals, though I haven't
> taken the time to sleuth what interval/timeperiod.
> 
> ...and what is a pop mail box trying to do - I thought
> that with a pop server, it's only responding to pop
> requests...as opposed to originating them as this box
> seems to be doing.

I'm betting that it is a response to one of YOUR internal systems that
is trying to connnect to this server to pull email via POP3.

> 
> Plus...my ppp0 ip addy is always in the 209.193.x.x
> address space...so how the heck does a packet from
> a 10.x address even get to me in the first place?                                           shorewall-users at lists.shorewall.net
> I thought 10.x addresses were non routable to begin with.

The INTERNET BACKBONE ROUTERS don't route these ip addresses -- other
routers (at your ISP) are free to deal with them in any way that they
choose.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net



More information about the Shorewall-users mailing list