Strange Shorewall Log Entries - Security

This is a discussion on Strange Shorewall Log Entries - Security ; Hi all, Today, I noticed a ton of strange entries in my shorewall log file (kern.log): Apr 12 22:55:41 server kernel: Shorewall:net2all ROP:IN=eth0 OUT= MAC=00:20:ed:5c:4c:cd:00:11:50:48:e4:a0:08:00 SRC=192.168.2.1 DST=192.168.2.2 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17 DPT=35035 LEN=59 Apr 12 22:56:06 ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Strange Shorewall Log Entries

  1. Strange Shorewall Log Entries

    Hi all,

    Today, I noticed a ton of strange entries in my shorewall log file
    (kern.log):

    Apr 12 22:55:41 server kernel: Shorewall:net2allROP:IN=eth0 OUT=
    MAC=00:20:ed:5c:4c:cd:00:11:50:48:e4:a0:08:00 SRC=192.168.2.1
    DST=192.168.2.2 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
    SPT=17 DPT=35035 LEN=59
    Apr 12 22:56:06 server kernel: Shorewall:net2allROP:IN=eth0 OUT=
    MAC=00:20:ed:5c:4c:cd:00:11:50:48:e4:a0:08:00 SRC=192.168.2.1
    DST=192.168.2.2 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
    SPT=258 DPT=35038 LEN=76

    There are around 2000 such entries, each having a different destination
    port (larger than 35000) and most having a different source port
    (~15-400). I don't understand why the source IP is my router. The
    middle part of the MAC address (00:11:50:48:e4:a0) matches the internal
    MAC address of my router. What does this mean?

    Also, at the very end of these lines there is:

    Apr 12 22:57:39 server kernel: eth0: link down
    Apr 12 22:57:41 server kernel: eth0: link up, 100Mbps, full-duplex, lpa
    0x45E1
    Apr 12 22:57:53 server kernel: eth0: link down
    Apr 12 22:57:55 server kernel: eth0: link up, 100Mbps, full-duplex, lpa
    0x45E1

    Are these two events related?

    Any insight would be greatly appreciated!

    Thanks!

    Jonathan


  2. Re: Strange Shorewall Log Entries

    I've got tcpdump running now...hopefully I get some more of these
    packets so I can understand what's going on.

    Is there a shorewall option to log the contents of certain packets?
    Since this firewall is actually behind my router, I get very little
    activity in the logs, so it probably wouldn't hurt...or at least I
    could enable it for a while.

    Thanks for the quick response!

    Jonathan


+ Reply to Thread