On 22/06/13 21:00, Chris Walker wrote:
I've this week changed from Mandriva 2011 to Mageia. I did it because Mandriva no longer seemed to be being developed and also because my installation had a few issues.
I also swapped out the 500gig drive that Mandriva was on and installed Mageia to a 1TB drive but I kept the 500 gig jobbie. To save myself time I just moved things like the config for Sylpheed and Claws from the 5400gig to the 1TB and those are working fine. In trying to find out why a USB 3 disc wasn't being seen, I noticed that dmesg was filling up with messages from Shorewall. I'm not sure if Shorewall ran on Mandriva but certainly I didn't see those messages.
Mandriva was actually the first distro I happened to notice Shorewall on - one of my servers at home is running 2009.1 and it's on there. I don't /think/ Mandriva has stopped being developed, but they seem to have moved to a commercial-only business model so there are no free/open downloads.
They all appear to be the same though with the exception of the ID which varies. Here's the last two for example [ 6125.561129] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=40:61:86:05:f9:31:00:24:a5:bd:b4:dc:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2897 DF PROTO=TCP SPT=3896 DPT=3389 WINDOW=5840 RES=0x00 SYN URGP=0
[ 6128.560425] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=40:61:86:05:f9:31:00:24:a5:bd:b4:dc:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2898 DF PROTO=TCP SPT=3896 DPT=3389 WINDOW=5840 RES=0x00 SYN URGP=0
On my machine 192.168.1.1 is the router.
Should I be concerned about these messages? If so, what should I do as they're just an irritation at the moment.
The destination port (DPT in the logs above) is 3389, which is Microsoft Terminal Server aka remote desktop/RDP (see https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers). An iptables config I got from a well-respected former sysadmin colleague had this, and various other Windows ports like SMB, collectively annotated as "Windows rubbish" and dropped them all.
RDP itself has been subject to several vulnerabilities, for instance - see http://www.tenable.com/blog/remote-access-woes-microsoft-windows-remote-desk... for a link to a couple, but if you're not running Windows machines with this enabled it's not an issue.
Otherwise, this looks at first glance as if it's coming from your router (the SRC of 192.168.1.1). I would be more worried if it was coming from outside as it's exactly the sort of thing your router's firewall should have filtered out already, so it could just be the router looking for "useful services" in order to help setting up. Is it occasional or every few seconds?
Simon