Firewall box stop responding

Seann Clark nombrandue at tsukinokage.net
Wed Jan 14 17:11:52 UTC 2009 

Les wrote:
> If you google RFC 1918, it will show that your system has sent a request
> for a private subnet out onto the global internet.  I am no IP guru, but
> I suspect that you will find the solution somewhere in the linux
> responses related to RFC 1918.
>
> Regards,
> Les H
> On Wed, 2009-01-14 at 14:31 -0200, Leonardo Korndorfer wrote:
>   
>> Hi all!
>>
>> I'm in a situation that is kinda hard to see what's happening. So I'm
>> going straight to the scenario:
>> I have a firewall box that somehow stops responding to all services
>> such as ssh and squid. It does answer ping.
>> Early this morning I was looking to the messages log with tail -f when
>> it just stop and then no responses again.
>>
>> Does anyone have lived this situation? 
>>
>> Here goes an example of the normality of logs when it just stops:
>>
>> /* regular log */
>> Jan 14 13:35:08 mercfw1 snmpd[2040]: Received SNMP packet(s) from UDP:
>> [192.168.0.13]:1660
>> Jan 14 13:35:08 mercfw1 snmpd[2040]: Connection from UDP:
>> [192.168.0.13]:1661
>> Jan 14 13:35:08 mercfw1 snmpd[2040]: Received SNMP packet(s) from UDP:
>> [192.168.0.13]:1661
>> Jan 14 13:35:08 mercfw1 snmpd[2040]: Connection from UDP:
>> [192.168.0.13]:1662
>> Jan 14 13:35:08 mercfw1 snmpd[2040]: Received SNMP packet(s) from UDP:
>> [192.168.0.13]:1662
>> Jan 14 13:35:08 mercfw1 snmpd[2040]: Connection from UDP:
>> [192.168.0.13]:1663
>> Jan 14 13:35:08 mercfw1 snmpd[2040]: Received SNMP packet(s) from UDP:
>> [192.168.0.13]:1663
>> Jan 14 13:35:08 mercfw1 snmpd[2040]: Connection from UDP:
>> [192.168.0.13]:1664
>> Jan 14 13:35:08 mercfw1 snmpd[2040]: Received SNMP packet(s) from UDP:
>> [192.168.0.13]:1664
>> Jan 14 13:35:08 mercfw1 snmpd[2040]: Connection from UDP:
>> [192.168.0.13]:1665
>> Jan 14 13:35:08 mercfw1 snmpd[2040]: Received SNMP packet(s) from UDP:
>> [192.168.0.13]:1665
>> Jan 14 13:35:06 mercfw1 named[1731]: client 127.0.0.1#38570: RFC 1918
>> response from Internet for 11.0.168.192.in-addr.arpa
>> /* forced shutdown and normal start log */
>> Jan 14 13:49:03 mercfw1 kernel: imklog 3.14.1, log source = /proc/kmsg
>> started.
>> Jan 14 13:49:03 mercfw1 kernel:
>> Inspecting /boot/System.map-2.6.25-14.fc9.i686
>> Jan 14 13:49:03 mercfw1 kernel: Loaded 28110 symbols
>> from /boot/System.map-2.6.25-14.fc9.i686.
>> Jan 14 13:49:03 mercfw1 kernel: Symbols match kernel version 2.6.25.
>> Jan 14 13:49:03 mercfw1 kernel: No module symbols loaded - kernel
>> modules not enabled.
>> If
>> The seconds before (13:35:06) are analogous. Nothing evil has
>> happened.
>>
>> Leonardo Richter Korndorfer
>>
>> personal @ http://leokorndorfer.no-ip.org
>> http://counter.li.org #384363
>> ICQ: 102788426
>>
>> -- 
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>>     
>
>   
In regards to the statement Les mentioned, unless your ISP is very 
poorly managed, its routers should drop any and all requests to/from a 
private RFC1918 subnet right into the bit bucket (or /dev/null, if you 
prefer). From the looks of it, if that 192.168 address range isn't the 
one you are using, it looks like something is sending commands via SNMP 
to your host (if you have an ISP like Cox, Comcast, etc, that uses cable 
modems, 90% of the time these are managed using SNMP, and you get fuzz 
that could mess up the system in strange ways if this happens to 
aggravate something in your system.)


If you are using iptables, try plugging in the ULOG log module for 
iptables, and set it up to grab a pcap of the logged traffic, and make 
sure to refresh it every day while you need to research this, and turn 
it off after. This will give you a better gateway into what/how/why you 
are seeing this traffic.  I am on a current version of fedora for my 
firewall, and I do see a lot of this type of traffic (10.x.x.x traffic) 
If this traffic is from your network, I would check to see what is 
firing off SNMP and find out why.


~Seann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5614 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090114/ff5c2047/attachment-0001.bin

More information about the users mailing list