Odd Packets, semi-OT

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Odd Packets, semi-OT
@ 2002-11-11 21:24 Joel Newkirk
  0 siblings, 0 replies; only message in thread
From: Joel Newkirk @ 2002-11-11 21:24 UTC (permalink / raw)
  To: netfilter

Just felt the need to share this story...  It may be vaguely educational, more 
likely vaguely entertaining.

I have my filter forward chain set up so that my son's machine can request 
port 80 tcp, port 53 udp, and ESTABLISHED/RELATED rules (one inbound one 
outbound to count each) to let him browse.  (He's 7, precocious, and his 
WinXP machine is set up to block content without my password except about 10 
sites I've approved - little stinker keeps telling me how much easier if I 
just gave him the password...)  After the above four rules, I log everything 
else his machine sends, then accept, then have a drop policy for the chain to 
catch anything else.

We've had some activity on this list the past few days regarding forwarding 
and NAT, and It occurred to me to take a look at my forward logs.

Well, in scanning logs I came across connections from his machine to a public 
IP at port 6667 and 28805.  Lock down time, with reject instead of accept for 
his last rule.  Worm or Virus, right?  Port 6667 at least matches a known 
trojan port, while 28805 yields Crimson Skies, Asheron's Call, and Asheville 
NC addresses.  (neither installed)  VirusScan it.  Machine is clean.  (Not 
surprising considering I wipe and reinstall it every few months, it has no 
email, and is limited to a dozen large commercial, IE disney.com lego.com 
sites)

Well (again), where are the packets going?  207.46.203.33-35.  Before anyone 
bothers checking (although I'll bet someone recognizes this) these IPs are 
owned by Microsoft.  WinXP phoning home, right?  Thought I'd shut all that 
crap down...  double-check it.  Well, shit, I did shut it all down.

I set up a separate log and reject process for these packets, and watch.  
Flurries of attempts here and there.  Wait, they seem to be only when he's 
actively using his machine.  Codec requests?  search.msn connections?  What??

Well, I finally catch some of this activity as it's happening, and it turns 
out he's discovered Internet Backgammon, Spades, and Checkers... (I wonder 
who his opponents were? :^)  I decided to add a new forward rule allowing 
connection to that (/24) IP on those ports.  I also decided to keep the 
default LOG & REJECT policy for his machine...

If you are a player of one of these games, then you have been warned.  Your 
next opponent could be a 7-year-old.  And no, he doesn't really seem to know 
how to play Backgammon.  (Hell, I don't... :^)

j

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2002-11-11 21:24 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-11 21:24 Odd Packets, semi-OT Joel Newkirk

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox