I have a router/gateway which forwards a few ports
to my machine. Port 995 is absolutely not one of them.
I checked and rechecked.

My F13 iptables is instrumented to print a "Dropped" message
for packets that it drops.
So I was surprised to see many messages like this:

Dropped by firewall: IN=wlan0 OUT=
MAC=aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:08:00 SRC=74.125.127.109
DST=10.1.1.8 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=52856 PROTO=TCP SPT=995
DPT=57892 WINDOW=0 RES=0x00 RST URGP=0

Port 995 is for SSL'ed pop protocol.

I even used another machine and tried to telnet to the
router's public IP address, port 995

telnet my-router-public-ip-address 995

to see if it would forward the packet to my machine.
It did not and the firewall did not even see the packet.

How can this happen? The packet obviously arrived from the gmail pop server,
unless a clever hacker spoofed the source IP.
I do not understand how any server can worm a packet to my LAN address,
when the router's per-LAN-client dedicated firewalls
do not provide for forwarding this port to any machine on the LAN.
(yes - this router provides a separately configurable firewall and port
forewading table for each LAN client) -

Is it possible that the router itself got hacked?

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Mon, Oct 4, 2010 at 07:28, JD <jd1008@gmail.com> wrote:

*I have a router/gateway which forwards a few ports

to my machine. Port 995 is absolutely not one of them.

I checked and rechecked.



My F13 iptables is instrumented to print a "Dropped" message

for packets that it drops.

So I was surprised to see many messages like this:



Dropped by firewall: IN=wlan0 OUT=

MAC=aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:08:00 SRC="">
DST=10.1.1.8 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=52856 PROTO=TCP SPT=995

DPT=57892 WINDOW=0 RES=0x00 RST URGP=0



Port 995 is for SSL'ed pop protocol.



I even used another machine and tried to telnet to the

router's public IP address, port 995



telnet *my-router-public-ip-address *995



to see if it would forward the packet to my machine.

It did not and the firewall did not even see the packet.



How can this happen? The packet obviously arrived from the gmail pop server,

unless a clever hacker spoofed the source IP.

I do not understand how any server can worm a packet to my LAN address,

when the router's per-LAN-client dedicated firewalls

do not provide for forwarding this port to any machine on the LAN.

(yes - this router provides a separately configurable firewall and port

forewading table for each LAN client) -



Is it possible that the router itself got hacked?




Since it's the source port that is 995 it seems google is trying to respond to your computer which started a communication with them with destination port of 995 and destination address of google.*

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 10/06/2010 04:54 AM, Doron Bar Zeev wrote:
>
>
> On Mon, Oct 4, 2010 at 07:28, JD <jd1008@gmail.com
> <mailto:jd1008@gmail.com>> wrote:
>
> I have a router/gateway which forwards a few ports
> to my machine. Port 995 is absolutely not one of them.
> I checked and rechecked.
>
> My F13 iptables is instrumented to print a "Dropped" message
> for packets that it drops.
> So I was surprised to see many messages like this:
>
> Dropped by firewall: IN=wlan0 OUT=
> MAC=aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:08:00 SRC=74.125.127.109
> DST=10.1.1.8 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=52856 PROTO=TCP
> SPT=995
> DPT=57892 WINDOW=0 RES=0x00 RST URGP=0
>
> Port 995 is for SSL'ed pop protocol.
>
> I even used another machine and tried to telnet to the
> router's public IP address, port 995
>
> telnet my-router-public-ip-address 995
>
> to see if it would forward the packet to my machine.
> It did not and the firewall did not even see the packet.
>
> How can this happen? The packet obviously arrived from the gmail
> pop server,
> unless a clever hacker spoofed the source IP.
> I do not understand how any server can worm a packet to my LAN
> address,
> when the router's per-LAN-client dedicated firewalls
> do not provide for forwarding this port to any machine on the LAN.
> (yes - this router provides a separately configurable firewall and
> port
> forewading table for each LAN client) -
>
> Is it possible that the router itself got hacked?
>
>
>
> Since it's the source port that is 995 it seems google is trying to
> respond to your computer which started a communication with them with
> destination port of 995 and destination address of google.

That is strange, because I have been getting my email just fine. No
problems at all.
Well, I'll keep watching the logs to see how often it happens.
Thanks for the explanation.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines