Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: AlecN on December 10, 2001, 05:23:14 PM
-
Got this Alert just a while ago on a PC running ZA basic behind SME5:
The firewall has blocked Internet access to your computer (ICMP Time Exceeded) from 4.24.6.38. Occurred: 2 times between 10/12/01 11:16:14 PM and 10/12/01 11:16:14 PM
Can anyone shed some light on this.
-
I am surprised that no one has commented on this. Maybe I've got it all wrong but I thought that this kind of intrusion was not possibe behind a Linux firewall. If it wasn't for ZoneAlarm, then I figure that this "probe" could have had it's way with my PC. the traceroute is as follows:
3 202.12.157.71 (202.12.157.71) 63.838 ms 58.969 ms 63.830 ms
4 GigabitEthernet4-0-0.lon5.Melbourne.telstra.net (139.130.49.33) 61.120 ms 59.478 ms 62.191 ms
5 GigabitEthernet3-2.lon-core3.Melbourne.telstra.net (203.50.76.89) 60.041 ms 61.638 ms 63.017 ms
6 GigabitEthernet4-0.win-core1.Melbourne.telstra.net (203.50.77.18) 61.123 ms 61.359 ms 61.107 ms
7 Pos2-0.ken-core4.Sydney.telstra.net (203.50.6.165) 72.809 ms 72.804 ms 70.893 ms
8 GigabitEthernet0-0.pad-core4.Sydney.telstra.net (203.50.6.190) 74.166 ms 74.433 ms 70.075 ms
9 GigabitEthernet0-0.syd-core01.Reach.telstra.net (203.50.13.242) 74.164 ms 69.518 ms 74.965 ms
10 Pos12-1.wil-core1.LosAngeles.net.reach.com (203.50.126.74) 242.109 ms 241.536 ms 239.114 ms
11 p3-1.lsanca1-cr5.bbnplanet.net (4.24.56.113) 239.912 ms 242.572 ms 242.089 ms
12 p3-1.lsanca1-cr6.bbnplanet.net (4.24.4.25) 239.928 ms 242.593 ms 242.899 ms
13 p2-0.lsanca1-cr8.bbnplanet.net (4.24.4.14) 246.231 ms 248.404 ms 242.086 ms
14 p6-0.lsanca2-br2.bbnplanet.net (4.24.5.53) 241.821 ms 243.681 ms 245.076 ms
15 p9-0.crtntx1-br2.bbnplanet.net (4.24.5.62) 277.974 ms 280.373 ms 280.138 ms
16 p15-0.crtntx1-br1.bbnplanet.net (4.24.10.113) 279.865 ms 279.801 ms 281.760 ms
17 p9-0.iplvin1-br2.bbnplanet.net (4.24.10.214) 298.114 ms 299.818 ms 299.686 ms
18 p15-0.iplvin1-br1.bbnplanet.net (4.24.10.153) 301.084 ms 299.902 ms 298.604 ms
19 p13-0.phlapa1-br1.bbnplanet.net (4.24.10.181) 313.351 ms 314.185 ms 316.268 ms
20 p15-0.phlapa1-br2.bbnplanet.net (4.24.10.90) 313.838 ms 313.777 ms 316.810 ms
21 so-0-0-0.washdc3-nbr2.bbnplanet.net (4.24.10.185) 314.928 ms 319.480 ms 317.079 ms
22 so-4-1-0.atlnga1-br1.bbnplanet.net (4.24.6.38) 326.341 ms 326.568 ms 323.607 ms
Can someone please put me straight.
-
The problem with personal firewalls is that their #1 goal is mere self-promotion. 99.9% of all "alerts" you will see from any such product are the result of harmless network housekeeping, and no cause for concern whatsoever. I can't really give you any details on your particular "attack," but I don't think it merits much investigation. There is likely a very innocuous explanation for it though.
Dan
-
This coincides with something I found on Saturday.My test setup is a server running e-smith 4.1.2 talking to a Windows XP workstation. I run Sygate Personal Firewall pro to stop the &*^%$!!>< XP workstation from dialing out all the time - some Windows XP components cannot be stopped from asking for the internet every time you run them. The workstation uses the server as its internet connection - it has a second network card and a router/dial-up modem combination.
If I run the Sygate Stealth port scan that is available on their website the reeport lists a bunch of ports but says that they are all blocked. If I unload the Sygate PFW-Pro and run the same scan again it reports a lot more items lists each one as 'unknown' and gives no test results. This doesn't happen on a direct contact Windows machine without the software firewall, that reports all the open ports quite happily. So running a software firewall on a workstation that connects to the internet via an e-smith server seems to make the workstation more visible to the outside world.
Ed Form
-
Thanks for the replies, much appreciated. Maybe the only use for a PFW behind SME is to stop spyware etc, i.e. keep control of all the other software we accumulate on our win PCs.
Thanks again