Router logs
am 02.09.2006 17:35:21 von deja
Let me start by saying I know nothing about firewalls and ports.
However I have just started looking at the router logs on my wireless
network. And I'm a little worried. For example I seem to be getting
masses of Access Frowards from an almost sequential list of ports i.e:
116|09/02/2006 15:24:28 |192.168.1.34:1591 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
117|09/02/2006 15:24:28 |192.168.1.34:1589 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
118|09/02/2006 15:24:28 |192.168.1.34:1587 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
119|09/02/2006 15:24:28 |192.168.1.34:1585 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
120|09/02/2006 15:24:27 |192.168.1.34:1583 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
121|09/02/2006 15:24:27 |192.168.1.34:1581 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
122|09/02/2006 15:24:27 |192.168.1.34:1579 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
123|09/02/2006 15:24:27 |192.168.1.34:1577 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
125|09/02/2006 15:24:27 |192.168.1.34:1575 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
126|09/02/2006 15:24:26 |192.168.1.34:1573 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
127|09/02/2006 15:24:26 |192.168.1.34:1571 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
128|09/02/2006 15:24:26 |192.168.1.34:1569 |69.16.237.154:80
|ACCESS FORWARD
Firewall default policy: TCP (L to W)
To my untrained eye, it seems odd that this access just goes through
all the available ports (I have many more logs - it seemed to start
with port 1028 and goes up to 4999 before starting again). This is
keeping the router busy all the time with up to 10 accesses per minute
solidly throughout the day. Is this normal? Some of the destination ips
seem to be expected (Google etc) others just point mysteriously at
RIPE.NET or LIQUIDWEB.COM which we haven't knowingly visited but maybe
they are adverts or something?
Am I worrying unncessarily?
thanks for any advice
Re: Router logs
am 03.09.2006 18:44:29 von ibuprofin
On 2 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1157211321.843329.308810@m79g2000cwm.googlegroups.com>, deja@2bytes.co.uk
wrote:
>Let me start by saying I know nothing about firewalls and ports.
>However I have just started looking at the router logs on my wireless
>network. And I'm a little worried. For example I seem to be getting
>masses of Access Frowards from an almost sequential list of ports i.e:
>
>116|09/02/2006 15:24:28 |192.168.1.34:1591 |69.16.237.154:80
[compton ~]$ host 69.16.237.154
154.237.16.69.IN-ADDR.ARPA domain name pointer host1.ephotozine.com
[compton ~]$
>|ACCESS FORWARD
> Firewall default policy: TCP (L to W)
Someone surfing. The multiple access is because they are retrieving
multiple pages. It's from your wireless side, going out to the world.
>To my untrained eye, it seems odd that this access just goes through
>all the available ports (I have many more logs - it seemed to start
>with port 1028 and goes up to 4999 before starting again).
Normal - the single web page contains a number of URLs, and each has to
be retrieved separately.
>This is keeping the router busy all the time with up to 10 accesses per
>minute solidly throughout the day.
Are you the one accessing these sites, or are you acting as a public hot
spot because you left the router in the default condition?
>Is this normal?
For a system in use? Sure.
>Some of the destination ips seem to be expected (Google etc) others just
>point mysteriously at RIPE.NET or LIQUIDWEB.COM which we haven't knowingly
>visited but maybe they are adverts or something?
Or maybe the tool you are using to identify the names of sites is not the
right one to be using. 'RIPE.NET' is actually 'Reseaux IP Europeens'
which is the European regional Internet Registrar - one of the Internet
agencies that allocates IP addresses. "LIQUIDWEB.COM" is a bandwidth
provider in Lansing, Michigan (roughly half way between Toronto and
Chicago). They happen to "own" the netspace used by that ephotozine.com
host.
[compton ~]$ arinwhois 69.16.237.154
[whois.arin.net]
OrgName: Liquid Web, Inc.
OrgID: LQWB
Address: 4210 Creyts Rd.
City: Lansing
StateProv: MI
PostalCode: 48917
Country: US
NetRange: 69.16.192.0 - 69.16.255.255
CIDR: 69.16.192.0/18
NetName: LIQUIDWEB-4
[...]
[compton ~]$
>Am I worrying unncessarily?
If the local source of the requests (192.168.1.34) is your system, OR if
you are intentionally running a public hot-spot - probably OK. If this is
not the case, yeah you may have a problem. Remember that most windoze
style networking setups are configured such that anyone can use them out
of the box. Security is intentionally disabled because most users don't
want to read the crappy manual that came with the product, and the product
manufacturer saved money by not providing clear instructions of how to
set things up securely because they knew no one is interested.
Old guy
Re: Router logs
am 12.09.2006 14:21:22 von deja
> >To my untrained eye, it seems odd that this access just goes through
> >all the available ports (I have many more logs - it seemed to start
> >with port 1028 and goes up to 4999 before starting again).
>
> Normal - the single web page contains a number of URLs, and each has to
> be retrieved separately.
thanks for this - I didn't understand that it is normal to use all the
ports like this. In that case I am worrying about nothing ( I think!)
Moe Trin wrote:
> On 2 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
> <1157211321.843329.308810@m79g2000cwm.googlegroups.com>, deja@2bytes.co.uk
> wrote:
>
> >Let me start by saying I know nothing about firewalls and ports.
> >However I have just started looking at the router logs on my wireless
> >network. And I'm a little worried. For example I seem to be getting
> >masses of Access Frowards from an almost sequential list of ports i.e:
> >
> >116|09/02/2006 15:24:28 |192.168.1.34:1591 |69.16.237.154:80
>
> [compton ~]$ host 69.16.237.154
> 154.237.16.69.IN-ADDR.ARPA domain name pointer host1.ephotozine.com
> [compton ~]$
>
> >|ACCESS FORWARD
> > Firewall default policy: TCP (L to W)
>
> Someone surfing. The multiple access is because they are retrieving
> multiple pages. It's from your wireless side, going out to the world.
>
> >To my untrained eye, it seems odd that this access just goes through
> >all the available ports (I have many more logs - it seemed to start
> >with port 1028 and goes up to 4999 before starting again).
>
> Normal - the single web page contains a number of URLs, and each has to
> be retrieved separately.
>
> >This is keeping the router busy all the time with up to 10 accesses per
> >minute solidly throughout the day.
>
> Are you the one accessing these sites, or are you acting as a public hot
> spot because you left the router in the default condition?
>
> >Is this normal?
>
> For a system in use? Sure.
>
> >Some of the destination ips seem to be expected (Google etc) others just
> >point mysteriously at RIPE.NET or LIQUIDWEB.COM which we haven't knowingly
> >visited but maybe they are adverts or something?
>
> Or maybe the tool you are using to identify the names of sites is not the
> right one to be using. 'RIPE.NET' is actually 'Reseaux IP Europeens'
> which is the European regional Internet Registrar - one of the Internet
> agencies that allocates IP addresses. "LIQUIDWEB.COM" is a bandwidth
> provider in Lansing, Michigan (roughly half way between Toronto and
> Chicago). They happen to "own" the netspace used by that ephotozine.com
> host.
>
> [compton ~]$ arinwhois 69.16.237.154
> [whois.arin.net]
>
> OrgName: Liquid Web, Inc.
> OrgID: LQWB
> Address: 4210 Creyts Rd.
> City: Lansing
> StateProv: MI
> PostalCode: 48917
> Country: US
> NetRange: 69.16.192.0 - 69.16.255.255
> CIDR: 69.16.192.0/18
> NetName: LIQUIDWEB-4
>
> [...]
>
> [compton ~]$
>
> >Am I worrying unncessarily?
>
> If the local source of the requests (192.168.1.34) is your system, OR if
> you are intentionally running a public hot-spot - probably OK. If this is
> not the case, yeah you may have a problem. Remember that most windoze
> style networking setups are configured such that anyone can use them out
> of the box. Security is intentionally disabled because most users don't
> want to read the crappy manual that came with the product, and the product
> manufacturer saved money by not providing clear instructions of how to
> set things up securely because they knew no one is interested.
>
> Old guy
Re: Router logs
am 14.09.2006 07:40:17 von maybenot
wrote in message
news:1157211321.843329.308810@m79g2000cwm.googlegroups.com.. .
| Let me start by saying I know nothing about firewalls and ports.
| However I have just started looking at the router logs on my
wireless
| network. And I'm a little worried. For example I seem to be getting
| masses of Access Frowards from an almost sequential list of ports
i.e:
|
| 116|09/02/2006 15:24:28 |192.168.1.34:1591 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
| 117|09/02/2006 15:24:28 |192.168.1.34:1589 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
| 118|09/02/2006 15:24:28 |192.168.1.34:1587 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
| 119|09/02/2006 15:24:28 |192.168.1.34:1585 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
| 120|09/02/2006 15:24:27 |192.168.1.34:1583 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
| 121|09/02/2006 15:24:27 |192.168.1.34:1581 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
| 122|09/02/2006 15:24:27 |192.168.1.34:1579 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
| 123|09/02/2006 15:24:27 |192.168.1.34:1577 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
| 125|09/02/2006 15:24:27 |192.168.1.34:1575 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
| 126|09/02/2006 15:24:26 |192.168.1.34:1573 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
| 127|09/02/2006 15:24:26 |192.168.1.34:1571 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
| 128|09/02/2006 15:24:26 |192.168.1.34:1569 |69.16.237.154:80
||ACCESS FORWARD
| Firewall default policy: TCP (L to W)
|
| To my untrained eye, it seems odd that this access just goes through
| all the available ports (I have many more logs - it seemed to start
| with port 1028 and goes up to 4999 before starting again). This is
| keeping the router busy all the time with up to 10 accesses per
minute
| solidly throughout the day. Is this normal? Some of the destination
ips
| seem to be expected (Google etc) others just point mysteriously at
| RIPE.NET or LIQUIDWEB.COM which we haven't knowingly visited but
maybe
| they are adverts or something?
|
| Am I worrying unncessarily?
Your logs are showing outbound requests from your browser. Your
router logging obviously logs outbound traffic, by the looks of it,
192.168.1.34 who ever is using it is enjoying the web.. You will
know the direction of the traffic from the firewall default policy.
a. L to W ---.> outbound
b. W to L -----> inbounnd
c. W to W -----> internet to router WAN.