H. S. wrote:
>
> I am running Debian Sarge as a router. The box has eth0 connected to an
> ADSL modem, and eth1 connected to a switch to which my home computers
> are connected.
>
> My internal home network is 192.168.x.x.
>
> Network cards congif is:
>
> auto eth0
> iface eth0 inet static
> address 10.0.0.1
> netmask 255.0.0.0
> network 10.0.0.0
> broadcast 10.0.0.255
> #used 10.x.x.x just to have eth0 on different network than eth1
>
>
> auto eth1
> iface eth1 inet static
> address 192.168.0.2
> netmask 255.255.255.0
> network 192.168.0.0
> broadcast 192.168.0.255
>
>
> I have a firewall setup. Among other things, it stops all packets
> addressed to 192.168.x.x going to ppp0, my ADSL modem. Now, in the
> /var/log/syslog file, I see the lines given below. If somebody could
> explain what is going on, it would be great. It seems that packets
> addressed to 10.x.x.x destined towards eth0 are being logged. But where
> are these packets coming from? How do I find out what applications is
> trying to send these packets?
>
> Thanks,
> ->HS
> PS: I am no expert in TCP/IP, though I have an overall understanding
> what each line of my firewall does.
>
> LOG lines:
>
> May 17 07:15:36 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.0.0.104 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58271 DF PROTO=TCP
> SPT=48000 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 07:15:39 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.0.0.104 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58272 DF PROTO=TCP
> SPT=48000 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 07:17:01 localhost /USR/SBIN/CRON[4798]: (root) CMD ( run-parts
> --report /etc/cron.hourly)
> May 17 07:30:36 localhost kernel: PingOfDeath: IN=ppp0 OUT= MAC=
> SRC=218.18.38.233 DST=65.92.22.19 LEN=60 TOS=0x00 PREC=0x00 TTL=31
> ID=27559 DF PROTO=TCP SPT=46311 DPT=49318 WINDOW=5808 RES=0x00 RST SYN
> URGP=0
> May 17 07:36:47 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.174.139.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1662 DF PROTO=TCP
> SPT=49878 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 07:36:50 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.174.139.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1663 DF PROTO=TCP
> SPT=49878 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 07:54:34 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.135.187.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30331 DF PROTO=TCP
> SPT=51463 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 07:54:37 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.135.187.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30332 DF PROTO=TCP
> SPT=51463 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 08:01:49 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.10.5.109 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35286 DF PROTO=TCP
> SPT=52094 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 08:01:52 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.10.5.109 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35287 DF PROTO=TCP
> SPT=52094 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
>
>


I guess comp.os.linux.security is not a high frequency newsgroup,
perhaps comp.os.linux.networking will be helpful. Hence this post to
networking.

Followups are all set to networking.

->HS

--
(Remove all underscores,if any, from my email address to get the correct
one. Apologies for the inconvenience but this is to reduce spam.)