strange SuSEfirewall2 message

Hello,

searching some info for an other problem, I noticed some strange messages on my SuSEfirewall2 logs (dmesg), just after boot:

251.127822] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:12:79:ab:74:f4:f4:ca:e5:5b:9c:82:08:00 SRC=95.83.173.208 DST=192.168.0.150 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=19981 DF PROTO=TCP SPT=6712 DPT=23481 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)

several times (3 for now)

looks like this is some sort of attack from Russia:
IP Information - 95.83.173.208
|**Host name **
|
|95.83.173.208.spark-ryazan.ru
|
|Country|Russian Federation
|
|Country Code|RU
|
|
|
|

||
|||

I’m on an internal network, no server open in it, and the Internet connection is my ISP Box working as gateway/router, so I wonder how the russian can have sniffed my internal IP?

As far as I know, the only other computer on the network is a linux/openSUSE box. I have an eth printer, but old kind, no net access.

any idéa? action to take?

thanks
jdd

I don’t know what that is.

Did you just reboot from running Windows (or other operating system), and were you doing something on Windows that could have set an entry in the router NAT table – say game playing or using bit torrent ?

Why do you think they sniffed the internal IP ? Most likely some script is trying the most popular IP addresses. Anyhow the DST IP is most likely something that your ISP router sets with DNAT. So most likely the russian target the external IP of your ISP.

I would ask the ISP about this. Anyhow it’s good that you have a firewall enabled :slight_smile: as the traffic was dropped by it.

I guess you where right. My box is a new model received recently. I found in the redirection table suspicious lines (an removed them).

thanks
jdd