Bad confusion about what to do with auth.
Anders Peter Fugmann
email hidden
Wed Feb 22 07:41:15 CET 2006
Steven W. Orr wrote:
> I get a lot of these in my syslog
>
> Feb 21 22:14:33 saturn kernel: [FIAIF_SCAN]:IN= OUT=eth0
> SRC=207.172.210.41
> DST=67.98.202.21 LEN=40 TOS=0x00
> PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=113
> DPT=617
It this the whole line logged? If so the reason for FIAIF to report this
as a SCAN is that it has no TCP flags - also called a NULL packet.
FIAIF_SCAN in general means that there is something wrong with the TCP
packet seen in regards to the TCP flags on the packet.
>
> I am the 207 addr.
>
> I have the following in my zone.ext:
>
> OUTPUT[1]="ACCEPT tcp
> auth,smtp,domain,nicname,finger,http,pgpkeyserver,cvspserver
> 0.0.0.0/0=>0.0.0.0/0"
>
> and I also have this:
>
> REPLY_AUTH="EXT tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0"
>
> The goal is to send a tcp-reset if someone send me an ident request.
>
> So I have two questions.
>
> First, what does that message in syslog mean?
> Second. is this bad?
Well - Depends on what OS you have behind the firewall. If it is a Linux
box, then I'm a bit puzzeled on why the system would send a NULL packet.
If it is a Windows based box, then you might want to run a virus
checker, and see if any trojans have been installed.
>
> Sorry I don't understand, but I hope to learn this better.
>
> TIA
>
Regards
Anders Fugmann
More information about the fiaif
mailing list