Firewall hits passing through a NAT router - How does that work?

I'm running the Firestarter v.0.92 firewall, installed with default
settings (all traffic from the Internet denied unless it's a response to
traffic initiated by my machine) on my desktop machine which runs
Xandros 2.0.1 and is connected to the Internet via a NAT router and a
cable modem broadband connection. When I scan my machine using the port
scanning services offered by Sygate, GRC, PCFlank etc., all ports
scanned are diagnosed as stealthed. No surprise, as it is the router
that's being scanned, I assume. I also assume that no connect attempt
from the Internet that's not in response to a connect initiated by
myself should pass through the router.

Yet, I sometimes get firewall hits, occasionally lots of them (dozens in
a session) that are recorded by Firestarter as dropped packets. They
consistently come from a small number of domains, in particular
reverse.theplanet.com (quite a few different specific IP addresses in
that domain, e.g. 70.85.109.180, 70.85.15.34, 70.85.14.242,
70.84.68.196), reverse.coreix.net (e.g. 83.142.30.80) and
dd8316.kasserver.com (a German "customer administration system"). The
ports that are hit are in the high range, e.g. 45321-45445, 33277 and
higher, 38600-38800, etc.

Typical log entries in the /var/log/messages file of Xandros (a
Debian-based distro) look like this:

Apr 20 16:46:50 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
SRC=70.85.109.180 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=0
DF PROTO=TCP SPT=80 DPT=33821 WINDOW=5840 RES=0x00 ACK SYN URGP=0

Apr 20 18:54:14 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
SRC=83.142.30.80 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=0
DF PROTO=TCP SPT=80 DPT=33903 WINDOW=5840 RES=0x00 ACK SYN URGP=0

Two questions:

1. How is it possible that an unauthorized connect attempt from these
sources can penetrate through the NAT router to be recorded by my
firewall? As an aside, one of the security scanners available on the
web that I used to have my machine scanned (I don't remember which) was
actually able to determine the correct local (LAN) address of my
machine, behind the router. How is that possible?

2. Who are these folks at reverse.theplanet.com, reverse.coreix.net and
kasserver.com, and what are they up to?

Many thanks for your help.

Robert

On Tue, 26 Apr 2005 18:23:11 -0400, Robert Glueck mumbled something like
this:

> I'm running the Firestarter v.0.92 firewall, installed with default
> settings (all traffic from the Internet denied unless it's a response to
> traffic initiated by my machine) on my desktop machine which runs Xandros
> 2.0.1 and is connected to the Internet via a NAT router and a cable modem
> broadband connection. When I scan my machine using the port scanning
> services offered by Sygate, GRC, PCFlank etc., all ports scanned are
> diagnosed as stealthed. No surprise, as it is the router that's being
> scanned, I assume. I also assume that no connect attempt from the
> Internet that's not in response to a connect initiated by myself should
> pass through the router.
>
> Yet, I sometimes get firewall hits, occasionally lots of them (dozens in a
> session) that are recorded by Firestarter as dropped packets. They
> consistently come from a small number of domains, in particular
> reverse.theplanet.com (quite a few different specific IP addresses in that
> domain, e.g. 70.85.109.180, 70.85.15.34, 70.85.14.242, 70.84.68.196),
> reverse.coreix.net (e.g. 83.142.30.80) and dd8316.kasserver.com (a German
> "customer administration system"). The ports that are hit are in the high
> range, e.g. 45321-45445, 33277 and higher, 38600-38800, etc.
>
> Typical log entries in the /var/log/messages file of Xandros (a
> Debian-based distro) look like this:
>
> Apr 20 16:46:50 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
> SRC=70.85.109.180 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF
> PROTO=TCP SPT=80 DPT=33821 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
> Apr 20 18:54:14 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
> SRC=83.142.30.80 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF
> PROTO=TCP SPT=80 DPT=33903 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
> Two questions:
>
> 1. How is it possible that an unauthorized connect attempt from these
> sources can penetrate through the NAT router to be recorded by my
> firewall? As an aside, one of the security scanners available on the web
> that I used to have my machine scanned (I don't remember which) was
> actually able to determine the correct local (LAN) address of my machine,
> behind the router. How is that possible?
>
> 2. Who are these folks at reverse.theplanet.com, reverse.coreix.net and
> kasserver.com, and what are they up to?
>
> Many thanks for your help.
>
> Robert

The above are responses from a web server(SPT=80). You sometimes get this
behaviour when the web server is so slow to respond that the connection is
timed out by your browsing machine, but the router still remembers the
connection and passes it through. I see this frequently with one of the
news servers I use.

--
Rinso
/\
/ \
/wizz\
~~~~~~~~~~~~

Rincewind replied:
>
>
> The above are responses from a web server(SPT=80). You sometimes get this
> behaviour when the web server is so slow to respond that the connection is
> timed out by your browsing machine, but the router still remembers the
> connection and passes it through. I see this frequently with one of the
> news servers I use.
>

Thanks for your response. Hmmm, but shouldn't DPT=80,too? Why is the
dropped return packet addressed to one of these high ports?

I did a bit of research: ThePlanet.com Internet Services is an ISP that
appears to be a notorious host of spammers, including the infamous
MrCash from Canada and of various distributors of a number of African
banking scams. There are a host of citations of ThePlanet.com in
news.admin.net-abuse.sightings.

So the connect attempts from ThePlanet.com are not random or benign.
What are they trying to do?

On Tue, 26 Apr 2005 20:40:32 -0400, Robert Glueck mumbled something like
this:

> Rincewind replied:
>>
>>
>> The above are responses from a web server(SPT=80). You sometimes get
>> this behaviour when the web server is so slow to respond that the
>> connection is timed out by your browsing machine, but the router still
>> remembers the connection and passes it through. I see this frequently
>> with one of the news servers I use.
>>
>>
> Thanks for your response. Hmmm, but shouldn't DPT=80,too? Why is the
> dropped return packet addressed to one of these high ports?

Because when your machine initiates an outgoing connection, it uses a
random high numbered(non privileged) port. This is correct behaviour.

--
Rinso
/\
/ \
/wizz\
~~~~~~~~~~~~

Robert Glueck <rglk@web.de> wrote in
news:t6KdnRERLNDzI_PfRVn-1w@rcn.net:

> I'm running the Firestarter v.0.92 firewall, installed with default
> settings (all traffic from the Internet denied unless it's a response
> to traffic initiated by my machine) on my desktop machine which runs
> Xandros 2.0.1 and is connected to the Internet via a NAT router and a
> cable modem broadband connection. When I scan my machine using the
> port scanning services offered by Sygate, GRC, PCFlank etc., all ports
> scanned are diagnosed as stealthed. No surprise, as it is the router
> that's being scanned, I assume. I also assume that no connect attempt
> from the Internet that's not in response to a connect initiated by
> myself should pass through the router.
>
> Yet, I sometimes get firewall hits, occasionally lots of them (dozens
> in a session) that are recorded by Firestarter as dropped packets.
> They consistently come from a small number of domains, in particular
> reverse.theplanet.com (quite a few different specific IP addresses in
> that domain, e.g. 70.85.109.180, 70.85.15.34, 70.85.14.242,
> 70.84.68.196), reverse.coreix.net (e.g. 83.142.30.80) and
> dd8316.kasserver.com (a German "customer administration system"). The
> ports that are hit are in the high range, e.g. 45321-45445, 33277 and
> higher, 38600-38800, etc.
>
> Typical log entries in the /var/log/messages file of Xandros (a
> Debian-based distro) look like this:
>
> Apr 20 16:46:50 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
> SRC=70.85.109.180 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=51
> ID=0 DF PROTO=TCP SPT=80 DPT=33821 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
> Apr 20 18:54:14 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
> SRC=83.142.30.80 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=0
> DF PROTO=TCP SPT=80 DPT=33903 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>

Those appear to be http servers that are responding to a SYN request
from your machine. If you accesed these sites from a browser but then
closed the browser before the response came back you would get this sort
of thing happening.

> Two questions:
>
> 1. How is it possible that an unauthorized connect attempt from these
> sources can penetrate through the NAT router to be recorded by my
> firewall? As an aside, one of the security scanners available on the
> web that I used to have my machine scanned (I don't remember which)
> was actually able to determine the correct local (LAN) address of my
> machine, behind the router. How is that possible?

A connect attempt would be a SYN packet. These appear to be
acknowlegments of SYN packets sent by your machine.

K.

>
> 2. Who are these folks at reverse.theplanet.com, reverse.coreix.net
> and kasserver.com, and what are they up to?
>
> Many thanks for your help.
>
> Robert
>