Strange dropped packages - guarddog/iptables

Hi!

I am running Gentoo linux. After installing and setting guarddog, I
found the following "strange", at least for me, situations:

1.
There are lots of dropped packets like this one towards various sites

Ex.:
DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=209.85.229.149 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=16475 DF PROTO=TCP SPT=4504 DPT=80
SEQ=1247115119 ACK=2605117908 WINDOW=191 RES=0x00 ACK FIN URGP=0

What are these packets and why are they being rejected? I don't notice
any problem in my accesses to my local net nor the "outside world".


2.
On every boot of my laptop, and only then, I got the following 4 packets
(source port changes):

DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=19798 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)

DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=19799 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)

DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=19800 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)

DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=3738 DF PROTO=TCP SPT=2342 DPT=80 SEQ=914204314
ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)

This is even more strange because 192.168.1.99 is not an address that I
use in my local network and this situation does not occur on, for
example, another PC (desktop) I have and it has the same SW and very
similar configuration!

192.168.1.xx is the IP address of the PC and xx is not 99.

Thanks for any help/comments.

In comp.security.firewalls Paulo da Silva wrote:
> I am running Gentoo linux. After installing and setting guarddog, I
> found the following "strange", at least for me, situations:
>
> 1.
> There are lots of dropped packets like this one towards various sites
>
> Ex.:
> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=209.85.229.149 LEN=40
> TOS=0x00 PREC=0x00 TTL=64 ID=16475 DF PROTO=TCP SPT=4504 DPT=80
> SEQ=1247115119 ACK=2605117908 WINDOW=191 RES=0x00 ACK FIN URGP=0
>
> What are these packets

Probably your browser closing a connection to Google.

http://www.freesoft.org/CIE/Course/Section4/11.htm

> and why are they being rejected?

We wouldn't know, since you omitted your ruleset.

> I don't notice any problem in my accesses to my local net nor the
> "outside world".

That's because even if the connection isn't terminated correctly, it
will expire after some time.

> 2.
> On every boot of my laptop, and only then, I got the following 4 packets
> (source port changes):
>
> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
> PREC=0x00 TTL=64 ID=19798 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
> ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)
>
> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
> PREC=0x00 TTL=64 ID=19799 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
> ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)
>
> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
> PREC=0x00 TTL=64 ID=19800 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
> ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)
>
> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
> PREC=0x00 TTL=64 ID=3738 DF PROTO=TCP SPT=2342 DPT=80 SEQ=914204314
> ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)
>
> This is even more strange because 192.168.1.99 is not an address that I
> use in my local network and this situation does not occur on, for
> example, another PC (desktop) I have and it has the same SW and very
> similar configuration!

I don't know of a straightforward way to do this with iptables, but you
could use the owner-match module and add logging rules for processes
that you suspect might generate this. See [1].

[1] http://osdir.com/ml/security.firewal.../msg00058.html

F'up2csf

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Ansgar -59cobalt- Wiechers escreveu:
> In comp.security.firewalls Paulo da Silva wrote:
>> I am running Gentoo linux. After installing and setting guarddog, I
>> found the following "strange", at least for me, situations:
>>
>> 1.
>> There are lots of dropped packets like this one towards various sites
>>
>> Ex.:
>> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=209.85.229.149 LEN=40
>> TOS=0x00 PREC=0x00 TTL=64 ID=16475 DF PROTO=TCP SPT=4504 DPT=80
>> SEQ=1247115119 ACK=2605117908 WINDOW=191 RES=0x00 ACK FIN URGP=0
>>
>> What are these packets
>
> Probably your browser closing a connection to Google.
Thanks.
Is there any inconvenience to let this happen? As I said, the ruleset
was written by guarddog. Any rule to allow *only* these packets without
compromising the rest of the ruleset?

Ansgar -59cobalt- Wiechers escreveu:
....

>>
>> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
>> PREC=0x00 TTL=64 ID=3738 DF PROTO=TCP SPT=2342 DPT=80 SEQ=914204314
>> ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)
>>
>> This is even more strange because 192.168.1.99 is not an address that I
>> use in my local network and this situation does not occur on, for
>> example, another PC (desktop) I have and it has the same SW and very
>> similar configuration!
>

I found the reason. A html document I have opened in konqueror has 4
references to 192.168.1.99. Somehow who wrote it forgot those refs
there. In fact the "problem" occurs when I login and not as part of the
boot process as I thought first.

Thank you all for answering.