[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] SuSEfirewall2: outgoing packets, IPv6


I am running SUSE 9.0, Kernel 2.4.21-166-default on my office PC; I have a standard Ethernet connection with a static IP address. My PC is for desktop use only, i.e. not as a server, router, etc. etc. I am running Gnome 2.4 (from the SuSE RPM's). My employer (Northwestern University) has a firewall in place. I have also set up SuSEfirewall2 using Yast2 to block all incoming traffic except for SSH, which I use to access my PC from home. So no Web/FTP/SMTP/IMAP/POP/SMB/NFS servers. Only SSH (or at least that's my intention!) Other than that, everything is set to its default configuration, and I have not tweaked the SuSEfirewall2 config file.

Now, looking at the firewall logs, I have noticed the following warning regarding *outgoing* packets dropped:

Jan 28 15:34:21 marciano kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=<my IPv6 address> DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=16925 DPT=80 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A0534B7830000000001030300)

There are quite a few of these, although not every day; for instance, I had 6 yesterday, and none as of today at noon. The SPT is not always the same, but it's never a "known" (to me, i.e. from /etc/services or the Firewall Forensics Web page) port. Moreover, I really don't know what could be sending out these packets. This is the only outgoing packet that appears in the firewall logs. A while back I installed Ximian-Gnome, including Red Carpet; the Red Carpet daemon also generated outgoing packets which SuSEfirewall2 blocked, but I have since uninstalled it, so that should not be a concern.

Any ideas?

Thanks in advance!
Marciano Siniscalchi     Ph  (847) 491-5398
Department of Economics  Fax (847) 491-7001
Northwestern University

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here