firewall log entries
Lloyd Kvam
python at venix.com
Sat Nov 13 09:58:01 EST 2010
In reviewing my laptop log watch I noticed this entry:
--------------------- iptables firewall Begin ------------------------
Listed by source hosts:
Logged 1009 packets on interface eth0
From 63.217.156.81 - 831 packets to
tcp(32786,32787,32788,32857,32858,32894,32895,32896,33193,33194,33200,33201,33202,33525,33526,34755,34756,34811,34812,34813,35372,35373,35617,35618,35619,35711,35712,35713,36230,36231,36232,36477,36478,36479,36779,36780,37253,37254,37255,37349,37350,37351,37765,37766,38588,38589,38590,38693,38694,38695,38746,38747,38748,38961,38962,39297,39298,39441,39442,39443,39814,39815,40671,40672,40673,41173,41174,41283,41284,41498,41499,41500,41818,41819,41820,42025,42026,42509,42510,42511,43198,43199,43200,43273,43274,43277,43418,43419,43420,43755,43756,44013,44014,44015,44203,44204,44402,44403,45061,45062,45160,45161,45991,45992,46106,46107,46108,46109,46140,46141,46243,46244,46245,46253,46254,46255,47736,47737,47738,48258,48259,48260,48330,48331,48899,48900,49142,49143,49883,49884,50165,50166,50167,50985,50986,51095,51096,51097,51353,51354,52483,52484,52485,53038,53668,53669,53670,53711,53712,53926,53927,54113,54114,54115,54183,54184,54185,54361
,54362,54363,54796,54797,54798,55070,55071,55331,55333,55334,55445,55446,55447,55704,55705,55706,55735,55736,55737,56088,56089,56295,56296,56345,56346,56347,56640,56641,56642,57327,57328,57709,57710,57711,57818,57819,58247,58248,58249,58274,58275,58355,58356,58357,58735,58736,59122,59123,59366,59367,59368,59448,59449,59630,59631,59951,59953,59954,59995,59996,60207,60208,60253,60254,60255,60544,60545,60563,60564,60835,60836,60837,60891,60892)
From 173.194.34.104 - 146 packets to
tcp(33370,35014,36873,37467,38486,39229,39515,39748,40666,41234,41640,42183,42186,43815,44709,45485,45535,46533,46642,46964,47498,47933,48000,48152,48658,49088,49109,49679,49744,49817,51190,51637,52506,54398,54672,54975,55209,55869,56591,56627,56937,57121,57174,57557,57715,58139,58306,60803)
---------------------- iptables firewall End -------------------------
My laptop is running Ubuntu 10.4 and sits behind an openWRT Linksys
router running NAT. So the blocked packets had to be coming from
computers where the laptop had instigated the connection.
netstat shows these entries for those IP addresses:
netstat -naepWv | egrep '173.194.34.104|63.217.156.81'
tcp 0 0 192.168.0.2:50329 63.217.156.81:80 ESTABLISHED 1000 502166 3559/clock-applet
tcp 0 0 192.168.0.2:50331 63.217.156.81:80 ESTABLISHED 1000 502498 3559/clock-applet
tcp 1 0 192.168.0.2:48662 63.217.156.81:80 CLOSE_WAIT 1000 506060 3561/gweather-apple
tcp 0 0 192.168.0.2:50330 63.217.156.81:80 ESTABLISHED 1000 502461 3559/clock-applet
tcp 1 0 192.168.0.2:40670 173.194.34.104:443 CLOSE_WAIT 1000 502729 3742/evolution-data
tcp 1 0 192.168.0.2:48663 63.217.156.81:80 CLOSE_WAIT 1000 506061 3561/gweather-apple
So the 63.217.156.81 entries appear to be related to the clock-applet
and weather-applet. The evolution-data may be calendar related. I'll
need to investigate further.
The firewall log first started reporting these blocked connections on
Nov 11. Comparing the blocked port numbers in the firewall log to the
port numbers in use from netstat, I can believe that this could be an
artifact of a bug where the connections are closed improperly.
There was a kernel update on Nov 11 along with some other packages that
I do not think are connected to the clock/weather applets. Evolution
was also updated.
So why did I send this email?
I'm looking for advice as to what I should do next. Should I be filing
a bug report? Which app? Is it the kernel? What other info should be
in a bug report? Are others seeing entries like this in their firewall
logs?
Thanks for your thoughts.
--
Lloyd Kvam
Venix Corp
DLSLUG/GNHLUG library
http://dlslug.org/library.html
http://www.librarything.com/catalog/dlslug
http://www.librarything.com/catalog/dlslug&sort=stamp
http://www.librarything.com/rss/recent/dlslug
More information about the gnhlug-discuss
mailing list