Help understanding SFW2-INext-ACC-TCP IN=eth0 in Firewall.....

VcDeveloper1 · March 24, 2012, 5:54pm

Hi,

I didn’t make any adjustments to the firewall in regards to fowarding, I have the normal allowed services of web, vnc, ssh, sftp and giving one local IP access. I do have Iplist running, but I know this doesn’t effect the iptables. So is this normal processing? I put my domain on camping status for now.

03/23/12 12:02:06 PM anointedserv1 kernel [992845.327800] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=1.202.218.8 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=45 ID=43351 DF PROTO=TCP SPT=36988 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5E11D5B50000000001030307) MARK=0xfffe

Thanks!..

tsu2 · March 24, 2012, 10:18pm

If I understand your post correctly,
SRC is “source IP address” and a first octet of “one” is highly unlikely, generally impossible.
If you’re running a private network, look up the private IP network spaces… Most people setup a Class C network which starts with “192.168.x.y”

I’d have to look up what “SPT” is suppsoed to mean…

HTH,
TS

VcDeveloper1 · March 25, 2012, 12:45am

Here is more of what I’m getting, I only have a two system network; Desktop and Web Server, using a Dynex Router (Port 80 open only) and a Comcast Motorola SB5100 Cable Modem. And, yes, using Private IP’s of 192.168…

03/23/12 12:02:06 PM anointedserv1 kernel [992845.327800] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=1.202.218.8 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=45 ID=43351 DF PROTO=TCP SPT=36988 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5E11D5B50000000001030307) MARK=0xfffe
03/23/12 12:26:43 PM anointedserv1 kernel [994322.106647] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=65.52.110.26 DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x20 TTL=112 ID=25065 DF PROTO=TCP SPT=41483 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0xfffe
03/23/12 12:28:11 PM anointedserv1 kernel [994409.590804] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=65.52.110.26 DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x20 TTL=112 ID=27788 DF PROTO=TCP SPT=38998 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0xfffe
03/23/12 03:14:46 PM anointedserv1 kernel [1004404.769701] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=1.202.218.8 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=45 ID=60545 DF PROTO=TCP SPT=57635 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5E2378EE0000000001030307) MARK=0xfffe
03/23/12 03:27:17 PM anointedserv1 kernel [1005156.106873] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=207.46.204.232 DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x20 TTL=112 ID=1683 DF PROTO=TCP SPT=41875 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0xfffe
03/23/12 03:27:59 PM anointedserv1 kernel [1005197.878413] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=207.46.204.232 DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x20 TTL=112 ID=10888 DF PROTO=TCP SPT=11901 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0xfffe
03/23/12 04:52:48 PM anointedserv1 kernel [1010287.148215] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=217.69.133.29 DST=192.168.0.100 LEN=56 TOS=0x00 PREC=0x20 TTL=47 ID=33774 DF PROTO=TCP SPT=39260 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A17CB652E00000000) MARK=0xfffe
03/23/12 05:05:46 PM anointedserv1 kernel [1011065.328535] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=217.69.133.28 DST=192.168.0.100 LEN=56 TOS=0x00 PREC=0x20 TTL=47 ID=43775 DF PROTO=TCP SPT=43326 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A17B2762E00000000) MARK=0xfffe
03/23/12 05:05:47 PM anointedserv1 kernel [1011065.486382] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=217.69.133.28 DST=192.168.0.100 LEN=56 TOS=0x00 PREC=0x20 TTL=47 ID=18571 DF PROTO=TCP SPT=43505 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A17B276CB00000000) MARK=0xfffe
03/23/12 05:05:47 PM anointedserv1 kernel [1011065.648447] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=217.69.133.28 DST=192.168.0.100 LEN=56 TOS=0x00 PREC=0x20 TTL=47 ID=11382 DF PROTO=TCP SPT=43687 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A17B2776D00000000) MARK=0xfffe
03/23/12 05:16:36 PM anointedserv1 kernel [1011714.806113] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=92.48.122.218 DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x20 TTL=112 ID=13096 PROTO=TCP SPT=1410 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0xfffe
03/23/12 06:32:52 PM anointedserv1 kernel [1016291.041482] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=1.202.218.8 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=45 ID=42064 DF PROTO=TCP SPT=52518 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5E359BCE0000000001030307) MARK=0xfffe
03/23/12 06:52:31 PM anointedserv1 kernel [1017470.038855] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=207.46.195.237 DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x20 TTL=112 ID=27099 DF PROTO=TCP SPT=62408 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0xfffe
03/23/12 06:53:35 PM anointedserv1 kernel [1017534.321021] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=207.46.195.237 DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x20 TTL=112 ID=18658 DF PROTO=TCP SPT=57126 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0xfffe
03/23/12 07:19:59 PM anointedserv1 kernel [1019118.147596] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=202.179.8.246 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=52 ID=56969 DF PROTO=TCP SPT=53872 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A294163600000000001030307) MARK=0xfffe
03/23/12 07:27:56 PM anointedserv1 kernel [1019594.642337] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=202.179.8.246 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=52 ID=2707 DF PROTO=TCP SPT=45991 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A2948A89B0000000001030307) MARK=0xfffe
03/23/12 07:27:56 PM anointedserv1 kernel [1019595.032227] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=202.179.8.246 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=52 ID=34302 DF PROTO=TCP SPT=46077 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A2948AA210000000001030307) MARK=0xfffe
03/23/12 07:27:57 PM anointedserv1 kernel [1019595.420182] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=202.179.8.246 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=52 ID=48983 DF PROTO=TCP SPT=46769 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A2948ABA40000000001030307) MARK=0xfffe
03/23/12 07:27:57 PM anointedserv1 kernel [1019595.829345] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=202.179.8.246 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=52 ID=16893 DF PROTO=TCP SPT=46856 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A2948AD3E0000000001030307) MARK=0xfffe
03/23/12 07:27:57 PM anointedserv1 kernel [1019596.218673] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=202.179.8.246 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=52 ID=43884 DF PROTO=TCP SPT=46941 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A2948AEC30000000001030307) MARK=0xfffe
03/23/12 09:53:25 PM anointedserv1 kernel [1028324.352031] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=1.202.218.8 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=45 ID=32182 DF PROTO=TCP SPT=51051 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5E47F8180000000001030307) MARK=0xfffe
03/23/12 11:10:45 PM anointedserv1 kernel [1032963.832646] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=123.125.71.113 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=47 ID=6844 DF PROTO=TCP SPT=22142 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404020101010101010101010101030307) MARK=0xfffe
03/23/12 11:56:22 PM anointedserv1 kernel [1035701.359143] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=85.114.130.15 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=43 ID=21731 DF PROTO=TCP SPT=53179 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0AA01BBC0000000001030306) MARK=0xfffe
03/24/12 12:27:33 AM anointedserv1 kernel [1037572.244694] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=220.189.251.226 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=49 ID=13517 DF PROTO=TCP SPT=57936 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A28B921FA0000000001030302) MARK=0xfffe
03/24/12 01:15:28 AM anointedserv1 kernel [1040447.253570] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=1.202.218.8 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=45 ID=35187 DF PROTO=TCP SPT=50299 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5E5A77610000000001030307) MARK=0xfffe
03/24/12 02:10:22 AM anointedserv1 kernel [1043740.470256] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=93.114.41.133 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=51 ID=60441 DF PROTO=TCP SPT=33473 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A93A404FD0000000001030307) MARK=0xfffe
03/24/12 02:12:43 AM anointedserv1 kernel [1043882.005724] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=207.46.199.46 DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x20 TTL=112 ID=15448 DF PROTO=TCP SPT=51606 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0xfffe
03/24/12 02:13:35 AM anointedserv1 kernel [1043934.383172] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=207.46.199.46 DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x20 TTL=112 ID=16853 DF PROTO=TCP SPT=28392 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0xfffe
03/24/12 03:20:28 AM anointedserv1 kernel [1047946.522173] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=217.69.133.29 DST=192.168.0.100 LEN=56 TOS=0x00 PREC=0x20 TTL=47 ID=37020 DF PROTO=TCP SPT=54737 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A1A0A021700000000) MARK=0xfffe
03/24/12 03:51:14 AM anointedserv1 kernel [1049792.802697] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=65.52.110.26 DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x20 TTL=112 ID=12314 DF PROTO=TCP SPT=54206 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0xfffe
03/24/12 04:39:00 AM anointedserv1 kernel [1052658.985998] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=1.202.218.8 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=45 ID=52707 DF PROTO=TCP SPT=43212 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5E6D19580000000001030307) MARK=0xfffe
03/24/12 05:19:38 AM anointedserv1 kernel [1055096.614053] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=188.40.115.199 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=50 ID=62927 DF PROTO=TCP SPT=38225 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A7476A7650000000001030307) MARK=0xfffe
03/24/12 06:27:12 AM anointedserv1 kernel [1059150.771230] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=61.168.222.143 DST=192.168.0.100 LEN=48 TOS=0x00 PREC=0x20 TTL=114 ID=44104 PROTO=TCP SPT=2045 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0xfffe
03/24/12 08:03:20 AM anointedserv1 kernel [1064918.850052] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=1.202.218.8 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=45 ID=60651 DF PROTO=TCP SPT=36101 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5E7FCE240000000001030307) MARK=0xfffe
03/24/12 08:06:27 AM anointedserv1 kernel [1065105.926826] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:19:db:cc:66:00:00:13:46:b9:2f:8e:08:00 SRC=12.40.36.30 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x20 TTL=50 ID=6997 DF PROTO=TCP SPT=38371 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405640402080A10EC88700000000001030307) MARK=0xfffe

What I understand is SPT = “Service Port”. What is the purpose of openSuse doing this?

VcDeveloper1 · March 25, 2012, 3:07am

Doesn’t SFW2 mean “Suse Firewall 2”? If so, then what does the INext-ACC-TCP mean? Is it blocking, dropping or accepting solicitation? I read from an internet post that these are probes? “SFW2-INext-DROP-DEFLT” messages - can anyone explain?](http://www.linuxquestions.org/questions/linux-networking-3/sfw2-inext-drop-deflt-messages-can-anyone-explain-406101/)

…but most people don’t know what exactly Suse Firewall 2 is doing. Can anyone clear this up?

ghostintheruins · March 25, 2012, 8:00am

I do not know what’s the default setting of SFW2 in respect to routing between the zones (internet and LAN) but I would suggest you look a little bit on the machine with the IP 192.168.0.100. Most likely it is initiating the connection and then your firewall keeps the connection - if the OS machine is set-up as a routing between 192.168.0.100 and the internet.

On the other hand, I am only guessing since I did not understand your network setup - you mention what you have but now HOW they are connected and which is which (I mean you post a firewall log from a OpenSUSE machine but no info on what resides on it and how it is connected in respect to internet and LAN).

Cheers.

ghostintheruins · March 25, 2012, 8:11am

PS
From the log I see a connection that was a allowed on the external interface (INext - INbound traffic on the external interface <<eth0>>) by the default rules (DEFLT - Default rules) on port 80 (http).

glistwan · March 25, 2012, 9:50am

No it’s source port. Any OS does this. It uses some magic to choose the source port so that for example different browser sessions don’t have the same source port.

VcDeveloper1 · March 25, 2012, 4:50pm

Awh! Great! Thanks for clearing that up for me, appreciate your help it very much!

This is my setup:
Comcast
|
Modem
|
Dynex 4 port - p1 - Webs Server (openSuse 12.1, KDE 4.7), p2 - Desktop (Ubuntu Zorin 5 Ultimate 11.04 natty, Gnome 2.32.1)

Routing HTTP to 192.168.0.100

Thanks Again!..

tsu2 · March 25, 2012, 11:45pm

If your openSUSE is on a private network behind a firewall device,

You can modify your FW rules so that your network interface is configured as an “Internal Network” zone instead of “external network” – Rules should generally be relaxed and you shouldn’t run into many if any blocked ports/services.

TS

VcDeveloper1 · March 26, 2012, 4:27am

Ok thanks, just using the Dynex NAT to rout HTTP to, the openSuse server is a direct connect to Port 1.