"SFW2-INext-DROP-DEFLT" messages

MassDosage · 01-21-2006, 05:31 AM

Hey there,

I am running SuSe 9.1 and notice messages every few seconds in /var/log/messages like:

Jan 21 11:16:07 impi kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:02:44:4f:3a:78:00:0e:2e:4f:2d:da:08:00 SRC=69.166.50.231 DST=192.168.2.103 LEN=90 TOS=0x00 PREC=0x00 TTL=110 ID=39140 PROTO=UDP SPT=6881 DPT=33329 LEN=70
Jan 21 11:16:08 impi kernel: SFW2-INext-ACC-TCP IN=eth1 OUT= MAC=00:02:44:4f:3a:78:00:0e:2e:4f:2d:da:08:00 SRC=207.172.210.35 DST=192.168.2.103 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=19349 DF PROTO=TCP SPT=40399 DPT=33329 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0204059C0402080A04046C5B0000000001030302)
Jan 21 11:16:10 impi kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:02:44:4f:3a:78:00:0e:2e:4f:2d:da:08:00 SRC=62.1.246.89 DST=192.168.2.103 LEN=90 TOS=0x00 PREC=0x00 TTL=111 ID=64976 PROTO=UDP SPT=52323 DPT=33329 LEN=70
Jan 21 11:16:11 impi kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:02:44:4f:3a:78:00:0e:2e:4f:2d:da:08:00 SRC=80.171.49.45 DST=192.168.2.103 LEN=64 TOS=0x00 PREC=0x00 TTL=114 ID=35824 PROTO=UDP SPT=6881 DPT=33329 LEN=44
Jan 21 11:16:12 impi kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:02:44:4f:3a:78:00:0e:2e:4f:2d:da:08:00 SRC=213.60.237.135 DST=192.168.2.103 LEN=69 TOS=0x00 PREC=0x00 TTL=112 ID=21735 PROTO=UDP SPT=6891 DPT=33329 LEN=49
Jan 21 11:16:22 impi kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:02:44:4f:3a:78:00:0e:2e:4f:2d:da:08:00 SRC=83.135.17.146 DST=192.168.2.103 LEN=90 TOS=0x00 PREC=0x00 TTL=117 ID=20107 PROTO=UDP SPT=7001 DPT=33329 LEN=70
Jan 21 11:16:22 impi kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:02:44:4f:3a:78:00:0e:2e:4f:2d:da:08:00 SRC=85.164.48.193 DST=192.168.2.103 LEN=90 TOS=0x00 PREC=0x00 TTL=50 ID=30430 DF PROTO=UDP SPT=6919 DPT=33329 LEN=70
Jan 21 11:16:22 impi kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:02:44:4f:3a:78:00:0e:2e:4f:2d:da:08:00 SRC=70.178.221.71 DST=192.168.2.103 LEN=70 TOS=0x00 PREC=0x00 TTL=112 ID=21118 PROTO=UDP SPT=6881 DPT=33329 LEN=50
Jan 21 11:16:26 impi kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:02:44:4f:3a:78:00:0e:2e:4f:2d:da:08:00 SRC=69.117.42.163 DST=192.168.2.103 LEN=90 TOS=0x00 PREC=0x00 TTL=115 ID=58025 PROTO=UDP SPT=51931 DPT=33329 LEN=70
Jan 21 11:16:27 impi kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:02:44:4f:3a:78:00:0e:2e:4f:2d:da:08:00 SRC=220.233.7.197 DST=192.168.2.103 LEN=92 TOS=0x00 PREC=0x00 TTL=108 ID=14860 PROTO=UDP SPT=6881 DPT=33329 LEN=72
Jan 21 11:16:27 impi kernel: SFW2-INext-DROP-DEFLT IN=eth1 OUT= MAC=00:02:44:4f:3a:78:00:0e:2e:4f:2d:da:08:00 SRC=213.10.28.145 DST=192.168.2.103 LEN=90 TOS=0x00 PREC=0x00 TTL=118 ID=4424 PROTO=UDP SPT=6881 DPT=33329 LEN=70

Which seem to be messages from SuSe's firewall. I'm not sure exactly what they mean and if I should be concerned about them. It's strange that they seem to be coming from such a range of different IP addresses. I have stopped all running programs which connect to the internet and these messages continue. I have read through a few threads where people have had similar problems (such as http://www.linuxquestions.org/questi...d.php?t=267395
) but nobody seems to be able to give an authoritative explanation of what this means. I'm also a bit worried that one of those messages is "SFW2-INext-ACC-TCP" as I don't expect to be accepting any incoming traffic from anyone.

Any ideas?

peter_robb · 01-23-2006, 11:16 AM

Make a LOG entry to log the outgoing UDP packets from 192.168.2.103

The source port of the packets coming in will be the DPT of the packets going out, which 6881 is a bittorrent port..

MassDosage · 01-23-2006, 03:03 PM

I did some more monitoring of my log files and those messages kept appearing every few seconds even with basically all my local apps shut down. It looks like there was an "army" of a few hundred machines randomly connecting to ports that I have had open over the last 6 months or so (including bit torrent like you pointed out), even an ftp server that I had running on port 333329 for only a few days! I nmap'd some of them back and found quite a few were Windows machines in the same IP address range as my cable provider, so they were quite likely hacked zombie machines that were then trying to take over other machines on the same network. I modified my router settings to close all the ports I was no longer using and after a day the scans dried up from 1 every few seconds to one every few hours. This is the first time I've been a target of such an "attack" so at first I didn't recognise the symptoms.

peter_robb · 01-23-2006, 03:48 PM

Aahh.. the sweet joys of being monitored in an external network!

These machines get the advantage of using you as a gateway as you're local to them.
If there's nothing in that net you would talk to, make up a mangle rule to drop anything with a local destination address (eth0) but not coming from your gateway's MAC address.

Watch for dns servers etc in the ISP's net that eth1 is local to.