Strange Shorewall Log Entries
Today, I noticed a ton of strange entries in my shorewall log file
Apr 12 22:55:41 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
DST=192.168.2.2 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=17 DPT=35035 LEN=59
Apr 12 22:56:06 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
DST=192.168.2.2 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=258 DPT=35038 LEN=76
There are around 2000 such entries, each having a different destination
port (larger than 35000) and most having a different source port
(~15-400). I don't understand why the source IP is my router. The
middle part of the MAC address (00:11:50:48:e4:a0) matches the internal
MAC address of my router. What does this mean?
Also, at the very end of these lines there is:
Apr 12 22:57:39 server kernel: eth0: link down
Apr 12 22:57:41 server kernel: eth0: link up, 100Mbps, full-duplex, lpa
Apr 12 22:57:53 server kernel: eth0: link down
Apr 12 22:57:55 server kernel: eth0: link up, 100Mbps, full-duplex, lpa
Are these two events related?
Any insight would be greatly appreciated!
Re: Strange Shorewall Log Entries
I've got tcpdump running now...hopefully I get some more of these
packets so I can understand what's going on.
Is there a shorewall option to log the contents of certain packets?
Since this firewall is actually behind my router, I get very little
activity in the logs, so it probably wouldn't hurt...or at least I
could enable it for a while.
Thanks for the quick response!