Router logs
in [Firewalls]
|
Prev: spnego Nestaq
Next: << protocol=6 rule=-1 >>?
From: deja on 2 Sep 2006 11:35 Let me start by saying I know nothing about firewalls and ports. However I have just started looking at the router logs on my wireless network. And I'm a little worried. For example I seem to be getting masses of Access Frowards from an almost sequential list of ports i.e: 116|09/02/2006 15:24:28 |192.168.1.34:1591 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 117|09/02/2006 15:24:28 |192.168.1.34:1589 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 118|09/02/2006 15:24:28 |192.168.1.34:1587 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 119|09/02/2006 15:24:28 |192.168.1.34:1585 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 120|09/02/2006 15:24:27 |192.168.1.34:1583 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 121|09/02/2006 15:24:27 |192.168.1.34:1581 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 122|09/02/2006 15:24:27 |192.168.1.34:1579 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 123|09/02/2006 15:24:27 |192.168.1.34:1577 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 125|09/02/2006 15:24:27 |192.168.1.34:1575 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 126|09/02/2006 15:24:26 |192.168.1.34:1573 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 127|09/02/2006 15:24:26 |192.168.1.34:1571 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 128|09/02/2006 15:24:26 |192.168.1.34:1569 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) To my untrained eye, it seems odd that this access just goes through all the available ports (I have many more logs - it seemed to start with port 1028 and goes up to 4999 before starting again). This is keeping the router busy all the time with up to 10 accesses per minute solidly throughout the day. Is this normal? Some of the destination ips seem to be expected (Google etc) others just point mysteriously at RIPE.NET or LIQUIDWEB.COM which we haven't knowingly visited but maybe they are adverts or something? Am I worrying unncessarily? thanks for any advice
From: Moe Trin on 3 Sep 2006 12:44 On 2 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article <1157211321.843329.308810(a)m79g2000cwm.googlegroups.com>, deja(a)2bytes.co.uk wrote: >Let me start by saying I know nothing about firewalls and ports. >However I have just started looking at the router logs on my wireless >network. And I'm a little worried. For example I seem to be getting >masses of Access Frowards from an almost sequential list of ports i.e: > >116|09/02/2006 15:24:28 |192.168.1.34:1591 |69.16.237.154:80 [compton ~]$ host 69.16.237.154 154.237.16.69.IN-ADDR.ARPA domain name pointer host1.ephotozine.com [compton ~]$ >|ACCESS FORWARD > Firewall default policy: TCP (L to W) Someone surfing. The multiple access is because they are retrieving multiple pages. It's from your wireless side, going out to the world. >To my untrained eye, it seems odd that this access just goes through >all the available ports (I have many more logs - it seemed to start >with port 1028 and goes up to 4999 before starting again). Normal - the single web page contains a number of URLs, and each has to be retrieved separately. >This is keeping the router busy all the time with up to 10 accesses per >minute solidly throughout the day. Are you the one accessing these sites, or are you acting as a public hot spot because you left the router in the default condition? >Is this normal? For a system in use? Sure. >Some of the destination ips seem to be expected (Google etc) others just >point mysteriously at RIPE.NET or LIQUIDWEB.COM which we haven't knowingly >visited but maybe they are adverts or something? Or maybe the tool you are using to identify the names of sites is not the right one to be using. 'RIPE.NET' is actually 'Reseaux IP Europeens' which is the European regional Internet Registrar - one of the Internet agencies that allocates IP addresses. "LIQUIDWEB.COM" is a bandwidth provider in Lansing, Michigan (roughly half way between Toronto and Chicago). They happen to "own" the netspace used by that ephotozine.com host. [compton ~]$ arinwhois 69.16.237.154 [whois.arin.net] OrgName: Liquid Web, Inc. OrgID: LQWB Address: 4210 Creyts Rd. City: Lansing StateProv: MI PostalCode: 48917 Country: US NetRange: 69.16.192.0 - 69.16.255.255 CIDR: 69.16.192.0/18 NetName: LIQUIDWEB-4 [...] [compton ~]$ >Am I worrying unncessarily? If the local source of the requests (192.168.1.34) is your system, OR if you are intentionally running a public hot-spot - probably OK. If this is not the case, yeah you may have a problem. Remember that most windoze style networking setups are configured such that anyone can use them out of the box. Security is intentionally disabled because most users don't want to read the crappy manual that came with the product, and the product manufacturer saved money by not providing clear instructions of how to set things up securely because they knew no one is interested. Old guy
From: deja on 12 Sep 2006 08:21 > >To my untrained eye, it seems odd that this access just goes through > >all the available ports (I have many more logs - it seemed to start > >with port 1028 and goes up to 4999 before starting again). > > Normal - the single web page contains a number of URLs, and each has to > be retrieved separately. thanks for this - I didn't understand that it is normal to use all the ports like this. In that case I am worrying about nothing ( I think!) Moe Trin wrote: > On 2 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article > <1157211321.843329.308810(a)m79g2000cwm.googlegroups.com>, deja(a)2bytes.co.uk > wrote: > > >Let me start by saying I know nothing about firewalls and ports. > >However I have just started looking at the router logs on my wireless > >network. And I'm a little worried. For example I seem to be getting > >masses of Access Frowards from an almost sequential list of ports i.e: > > > >116|09/02/2006 15:24:28 |192.168.1.34:1591 |69.16.237.154:80 > > [compton ~]$ host 69.16.237.154 > 154.237.16.69.IN-ADDR.ARPA domain name pointer host1.ephotozine.com > [compton ~]$ > > >|ACCESS FORWARD > > Firewall default policy: TCP (L to W) > > Someone surfing. The multiple access is because they are retrieving > multiple pages. It's from your wireless side, going out to the world. > > >To my untrained eye, it seems odd that this access just goes through > >all the available ports (I have many more logs - it seemed to start > >with port 1028 and goes up to 4999 before starting again). > > Normal - the single web page contains a number of URLs, and each has to > be retrieved separately. > > >This is keeping the router busy all the time with up to 10 accesses per > >minute solidly throughout the day. > > Are you the one accessing these sites, or are you acting as a public hot > spot because you left the router in the default condition? > > >Is this normal? > > For a system in use? Sure. > > >Some of the destination ips seem to be expected (Google etc) others just > >point mysteriously at RIPE.NET or LIQUIDWEB.COM which we haven't knowingly > >visited but maybe they are adverts or something? > > Or maybe the tool you are using to identify the names of sites is not the > right one to be using. 'RIPE.NET' is actually 'Reseaux IP Europeens' > which is the European regional Internet Registrar - one of the Internet > agencies that allocates IP addresses. "LIQUIDWEB.COM" is a bandwidth > provider in Lansing, Michigan (roughly half way between Toronto and > Chicago). They happen to "own" the netspace used by that ephotozine.com > host. > > [compton ~]$ arinwhois 69.16.237.154 > [whois.arin.net] > > OrgName: Liquid Web, Inc. > OrgID: LQWB > Address: 4210 Creyts Rd. > City: Lansing > StateProv: MI > PostalCode: 48917 > Country: US > NetRange: 69.16.192.0 - 69.16.255.255 > CIDR: 69.16.192.0/18 > NetName: LIQUIDWEB-4 > > [...] > > [compton ~]$ > > >Am I worrying unncessarily? > > If the local source of the requests (192.168.1.34) is your system, OR if > you are intentionally running a public hot-spot - probably OK. If this is > not the case, yeah you may have a problem. Remember that most windoze > style networking setups are configured such that anyone can use them out > of the box. Security is intentionally disabled because most users don't > want to read the crappy manual that came with the product, and the product > manufacturer saved money by not providing clear instructions of how to > set things up securely because they knew no one is interested. > > Old guy
From: maybenot on 14 Sep 2006 01:40 <deja(a)2bytes.co.uk> wrote in message news:1157211321.843329.308810(a)m79g2000cwm.googlegroups.com... | Let me start by saying I know nothing about firewalls and ports. | However I have just started looking at the router logs on my wireless | network. And I'm a little worried. For example I seem to be getting | masses of Access Frowards from an almost sequential list of ports i.e: | | 116|09/02/2006 15:24:28 |192.168.1.34:1591 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | 117|09/02/2006 15:24:28 |192.168.1.34:1589 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | 118|09/02/2006 15:24:28 |192.168.1.34:1587 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | 119|09/02/2006 15:24:28 |192.168.1.34:1585 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | 120|09/02/2006 15:24:27 |192.168.1.34:1583 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | 121|09/02/2006 15:24:27 |192.168.1.34:1581 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | 122|09/02/2006 15:24:27 |192.168.1.34:1579 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | 123|09/02/2006 15:24:27 |192.168.1.34:1577 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | 125|09/02/2006 15:24:27 |192.168.1.34:1575 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | 126|09/02/2006 15:24:26 |192.168.1.34:1573 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | 127|09/02/2006 15:24:26 |192.168.1.34:1571 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | 128|09/02/2006 15:24:26 |192.168.1.34:1569 |69.16.237.154:80 ||ACCESS FORWARD | Firewall default policy: TCP (L to W) | | To my untrained eye, it seems odd that this access just goes through | all the available ports (I have many more logs - it seemed to start | with port 1028 and goes up to 4999 before starting again). This is | keeping the router busy all the time with up to 10 accesses per minute | solidly throughout the day. Is this normal? Some of the destination ips | seem to be expected (Google etc) others just point mysteriously at | RIPE.NET or LIQUIDWEB.COM which we haven't knowingly visited but maybe | they are adverts or something? | | Am I worrying unncessarily? Your logs are showing outbound requests from your browser. Your router logging obviously logs outbound traffic, by the looks of it, 192.168.1.34 who ever is using it is enjoying the web.<g>. You will know the direction of the traffic from the firewall default policy. a. L to W ---.> outbound b. W to L -----> inbounnd c. W to W -----> internet to router WAN.
|
Pages: 1 Prev: spnego Nestaq Next: << protocol=6 rule=-1 >>? |