[ILUG] Firewall Log Question

eduardo eduardo_26 at hotmail.com
Thu Nov 22 17:41:01 GMT 2001 

We are in a mixed network, which includes a router Cisco, a 3COM swich
common to the two networks and a hub where gateway/fire wall linux computer
is connected.

One of the network is my company network (192.168.X.X / 255.255.0.0. I am in
charge of it) and the other network belongs to other company (10.10.X.X /
255.255.0.0). This company has a VPN. Now, they are accusing me as hacker,
alleging we have tried to go into their VPN. As prove of tha t , they are
showing the following type of message:

Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6

213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109
SYN (#70)

Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17
192.168.2.185:138

192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71)

Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6

213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109
SYN (#70)

Oct 21 04:10:08 localhost kernel: Packet log: input DENY eth0 PROTO=17
192.168.2.138:137

192.168.255.255:137 L=78 S=0x00 I=49285 F=0x000 T=32 (#71)

Oct 21 04:10:16 localhost kernel: Packet log: input DENY eth0 PROTO=17
192.168.2.20:138

192.168.2.255:138 L=238 S=0x00 I=56451 F=0x000 T=32 (#71)

Oct 21 04:10:20 localhost kernel: Packet log: input DENY eth0 PROTO=17
192.168.2.5:138

192.168.2.255:138 L=234 S=0x00 I=39272 F=0x000 T=128 (#71)

Oct 21 04:11:08 localhost kernel: Packet log: input DENY eth0 PROTO=17
192.168.2.5:137

192.168.2.255:138 L=78 S=0x00 I=39528 F=0x000 T=128 (#71)

Oct 21 04:12:00 localhost kernel: Packet log: input DENY eth0 PROTO=17
192.168.2.100:138

192.168.255.255:138 L=241 S=0x00 I=31461 F=0x000 T=128 (#71)

Oct 21 04:14:04 localhost kernel: Packet log: input DENY eth0 PROTO=17
192.168.2.172:137

192.168.255.255:137 L=78 S=0x00 I=50473 F=0x000 T=32 (#71)

They have as many as 40 pages of this type of messages , presenting this
"deny" access as  the evidence we have tried to penetrate their network.

Since we are not int er ested is go into that VPN, nor we have tried to do
it, please help me in find a technnical explanation for the "evidences" the
have shown.

With this I sent a small description about how network has bean
setting up and the hardware that the we are using.

Network 1 : 10.10.X.X / 255.255.0.0 (The Other Company/Firewall)

Network 2 : 192.168.5.X.X / 255.255.0.0 (My company)

The Switch we have 2 Vlans.

The Switch and Gateway/Firewall is controlled by the other company.

The Router connect us to the internet. The router is controlled by ISP


--------     --------    -------------
|Router|     |HUB   |    |Comp. (Win)|(192.168.X.X)
|Cisco |---->|      |--->|Network 2  |
--------     --------    -------------
(192.168.X.X)   | |_____________________
(10.10.X.X)     |                      |(port Vlan2)
                v                      v
            ----------             ----------(Vlan 2)         192.168.X.X
            |Gateway |             |Switch  |-------->NetWork 2 (Windows)
            |FireWall|------------>|3Com    |(Vlan 1)
            |(Linux) | (port Vlan1)|        |-------->NetWork 1 (Windows)
            ----------             ----------                  10.10.X.X
            (10.10.X.X)            (10.10.X.X)



Thanks.

More information about the ILUG mailing list