Bad confusion about what to do with auth.

Steven W. Orr email hidden
Wed Feb 22 15:46:02 CET 2006 

On Wednesday, Feb 22nd 2006 at 07:41 +0100, quoth Anders Peter Fugmann:

=>Steven W. Orr wrote:
=>> I get a lot of these in my syslog
=>> 
=>> Feb 21 22:14:33 saturn kernel: [FIAIF_SCAN]:IN= OUT=eth0
=>>         SRC=207.172.210.41
=>>         DST=67.98.202.21 LEN=40 TOS=0x00
=>>         PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=113
=>>         DPT=617
=>It this the whole line logged? If so the reason for FIAIF to report this as a
=>SCAN is that it has no TCP flags - also called a NULL packet.
=>
=>FIAIF_SCAN in general means that there is something wrong with the TCP packet
=>seen in regards to the TCP flags on the packet.
=>> 
=>> I am the 207 addr.
=>> 
=>> I have the following in my zone.ext:
=>> 
=>> OUTPUT[1]="ACCEPT tcp
=>> auth,smtp,domain,nicname,finger,http,pgpkeyserver,cvspserver
=>> 0.0.0.0/0=>0.0.0.0/0"
=>> 
=>> and I also have this:
=>> 
=>> REPLY_AUTH="EXT tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0"
=>> 
=>> The goal is to send a tcp-reset if someone send me an ident request.
=>> 
=>> So I have two questions.
=>> 
=>> First, what does that message in syslog mean?
=>> Second. is this bad?
=>Well - Depends on what OS you have behind the firewall. If it is a Linux box,
=>then I'm a bit puzzeled on why the system would send a NULL packet. If it is a
=>Windows based box, then you might want to run a virus checker, and see if any
=>trojans have been installed.
=>

I'm sorry. I mispasted the line. Here's a complete line. I don't know how 
to fully interpret this, but it looks to me like this is an outgoing 
packet (though I have no idea what process would create it) but I do have 
auth on the output accept list. I don't understand what the FIAIF_SCAN 
means and I also don't understand if the packet is actually being blocked 
or not.

Feb 22 09:38:55 saturn kernel: [FIAIF_SCAN]:IN= OUT=eth0 
             SRC=207.172.210.41 DST=216.250.231.90
	     LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=113 
             DPT=40415 WINDOW=0 RES=0x00 ACK RST URGP=0


-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

More information about the fiaif mailing list