Strange errors from firewall

English Network/Internet
#1

I keep seeing the following set of firewall errors/warnings in my logs. They are always to/from my internal network out to some external ip (I replaced the actual ip with 1.2.3.4). They are always related to port 80. I can’t figure out how these requests are showing up. Should I be concerned? Do the machines on the internal net have a virus or trojan or something? I haven’t noticed any degradation in performance, or web pages not coming back, etc.

kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth1 SRC=192.168.1.198 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=14874 DF PROTO=TCP SPT=49471 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0 OPT (0101080A3F32799202DB9BF0)

kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=1.2.3.4 DST=192.168.1.198 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=49471 WINDOW=0 RES=0x00 RST URGP=0

Here is a shortened list of my firewall settings (iptables -L):

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            state RELATED
input_int  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_int  all  --  anywhere             anywhere
forward_ext  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
DROP       all  --  anywhere             anywhere

Chain forward_int (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
reject_func  all  --  anywhere             anywhere

I am running opensuse 11.0
I have a dsl connection with a static ip.
I had some problems getting PPPOE working in suse, so instead I set the dsl modem to do no NAT, so it basically just passes everything straight through. Perhaps not ideal, but it made my server easier to set up.

This is my first posting to the forum, so, be gentle :slight_smile:
Thanks!

#2

Hi
Use wireshark on the host to see more detail, but it may be something
doing a check for updates…


Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 11.0 x86 Kernel 2.6.25.18-0.2-default
up 5 days 12:44, 1 user, load average: 0.43, 0.28, 0.27
GPU GeForce 6600 TE/6200 TE - Driver Version: 177.82

#3

But if it was something checking for updates wouldn’t the FORWARD rule “ACCEPT all – anywhere anywhere state
NEW,RELATED,ESTABLISHED” handle it because it would either be NEW or RELATED?

I’ll try wireshark out tonight and see if it shows anything strange…

#4

Your input rules are a little strange. In the first rule you accept everything. Normally the order is:

accept anywhere,anywhere related,established
accept internal,anywhere new

You should run iptables with the -v flag. I think it will show that the first rule is actually limited to the internal interface. Otherwise you effectively have no firewall at all for packets from the outside. I assume that those rules were written by SuSEfirewall2.

Have you done a reverse lookup on those destinations? I think you will find that they are web sites you have been surfing. I think those log entries are due to the web browser trying to close the connection after the conntrack entry in iptables has expired. That’s probably harmless.

#5

Oops, knew I should have left the -v on there :shame: (I left it out in my original post to try and cut down on the post size)… here is is again:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
15294 4095K ACCEPT     all  --  lo     any     anywhere             anywhere
61340   22M ACCEPT     all  --  any    any     anywhere             anywhere            state ESTABLISHED
    3   168 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED
18509 2401K input_int  all  --  eth0   any     anywhere             anywhere
 6453  659K input_ext  all  --  eth1   any     anywhere             anywhere
    0     0 input_ext  all  --  any    any     anywhere             anywhere
    0     0 LOG        all  --  any    any     anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
23315 1340K TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
 312K   40M forward_int  all  --  eth0   any     anywhere             anywhere
 484K  592M forward_ext  all  --  eth1   any     anywhere             anywhere
    0     0 LOG        all  --  any    any     anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 218 packets, 9041 bytes)
 pkts bytes target     prot opt in     out     source               destination
15294 4095K ACCEPT     all  --  any    lo      anywhere             anywhere
73777   23M ACCEPT     all  --  any    any     anywhere             anywhere            state NEW,RELATED,ESTABLISHED
  160  6721 LOG        all  --  any    any     anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (1 references)
 pkts bytes target     prot opt in     out     source               destination
   47  2820 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
  166 13048 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
 484K  592M ACCEPT     all  --  eth1   eth0    anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 DROP       all  --  any    any     anywhere             anywhere            PKTTYPE = multicast
    0     0 LOG        all  --  any    any     anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain forward_int (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
 312K   40M ACCEPT     all  --  eth0   eth1    anywhere             anywhere            state NEW,RELATED,ESTABLISHED
    0     0 DROP       all  --  any    any     anywhere             anywhere            PKTTYPE = multicast
  170 10258 LOG        all  --  any    any     anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
  228 13214 reject_func  all  --  any    any     anywhere             anywhere

Chain input_ext (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere            PKTTYPE = broadcast
  809 51376 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-request
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:msnp
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:xbox
  399 21996 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http
  124  6036 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https
  409 20580 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:urd
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:kerberos
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:xbox
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:http
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:https
  324 20736 DROP       all  --  any    any     anywhere             anywhere            PKTTYPE = multicast
 3904  513K LOG        all  --  any    any     anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
 4388  538K DROP       all  --  any    any     anywhere             anywhere

I did reverse dns lookups on a number of the addresses and it does appear that they are all from web pages I was browsing. So perhaps you are correct about the conntrack cache expiring.
Still, it seems kinda strange. I had a firewall set up previously under RedHat 9 and never got messages like this.

Is there any way to increase the timeout for conntrack, or should I just not worry about it?

Thanks!

#6

Don’ worry, be happy.