From: Joel Newkirk <netfilter@newkirk.us>
To: netfilter@lists.netfilter.org
Subject: Odd Packets, semi-OT
Date: Mon, 11 Nov 2002 16:24:55 -0500 [thread overview]
Message-ID: <200211111624.55737.netfilter@newkirk.us> (raw)
Just felt the need to share this story... It may be vaguely educational, more
likely vaguely entertaining.
I have my filter forward chain set up so that my son's machine can request
port 80 tcp, port 53 udp, and ESTABLISHED/RELATED rules (one inbound one
outbound to count each) to let him browse. (He's 7, precocious, and his
WinXP machine is set up to block content without my password except about 10
sites I've approved - little stinker keeps telling me how much easier if I
just gave him the password...) After the above four rules, I log everything
else his machine sends, then accept, then have a drop policy for the chain to
catch anything else.
We've had some activity on this list the past few days regarding forwarding
and NAT, and It occurred to me to take a look at my forward logs.
Well, in scanning logs I came across connections from his machine to a public
IP at port 6667 and 28805. Lock down time, with reject instead of accept for
his last rule. Worm or Virus, right? Port 6667 at least matches a known
trojan port, while 28805 yields Crimson Skies, Asheron's Call, and Asheville
NC addresses. (neither installed) VirusScan it. Machine is clean. (Not
surprising considering I wipe and reinstall it every few months, it has no
email, and is limited to a dozen large commercial, IE disney.com lego.com
sites)
Well (again), where are the packets going? 207.46.203.33-35. Before anyone
bothers checking (although I'll bet someone recognizes this) these IPs are
owned by Microsoft. WinXP phoning home, right? Thought I'd shut all that
crap down... double-check it. Well, shit, I did shut it all down.
I set up a separate log and reject process for these packets, and watch.
Flurries of attempts here and there. Wait, they seem to be only when he's
actively using his machine. Codec requests? search.msn connections? What??
Well, I finally catch some of this activity as it's happening, and it turns
out he's discovered Internet Backgammon, Spades, and Checkers... (I wonder
who his opponents were? :^) I decided to add a new forward rule allowing
connection to that (/24) IP on those ports. I also decided to keep the
default LOG & REJECT policy for his machine...
If you are a player of one of these games, then you have been warned. Your
next opponent could be a 7-year-old. And no, he doesn't really seem to know
how to play Backgammon. (Hell, I don't... :^)
j
reply other threads:[~2002-11-11 21:24 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200211111624.55737.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox