Re: F13 Firewall and gateway router port forwarding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 10/06/2010 04:54 AM, Doron Bar Zeev wrote:
>
>
> On Mon, Oct 4, 2010 at 07:28, JD <jd1008@xxxxxxxxx 
> <mailto:jd1008@xxxxxxxxx>> wrote:
>
>      I have a router/gateway which forwards a few ports
>     to my machine. Port 995 is absolutely not one of them.
>     I checked and rechecked.
>
>     My F13 iptables is instrumented to print a "Dropped" message
>     for packets that it drops.
>     So I was surprised to see many messages like this:
>
>     Dropped by firewall: IN=wlan0 OUT=
>     MAC=aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:08:00 SRC=74.125.127.109
>     DST=10.1.1.8 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=52856 PROTO=TCP
>     SPT=995
>     DPT=57892 WINDOW=0 RES=0x00 RST URGP=0
>
>     Port 995 is for SSL'ed pop protocol.
>
>     I even used another machine and tried to telnet to the
>     router's public IP address, port 995
>
>     telnet  my-router-public-ip-address  995
>
>     to see if it would forward the packet to my machine.
>     It did not and the firewall did not even see the packet.
>
>     How can this happen? The packet obviously arrived from the gmail
>     pop server,
>     unless a clever hacker spoofed the source IP.
>     I do not understand how any server can worm a packet to my LAN
>     address,
>     when the router's per-LAN-client dedicated firewalls
>     do not provide for forwarding this port to any machine on the LAN.
>     (yes - this router provides a separately configurable firewall and
>     port
>     forewading table for each LAN client) -
>
>     Is it possible that the router itself got hacked?
>
>
>
> Since it's the source port that is 995 it seems google is trying to 
> respond to your computer which started a communication with them with 
> destination port of 995 and destination address of google.

That is strange, because I have been getting my email just fine. No 
problems at all.
Well, I'll keep watching the logs to see how often it happens.
Thanks for the explanation.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux