Archived from groups: comp.security.firewalls (More info?)

I'm trying to debug this problem (or establish that it's not a
problem!) and I'm not sure which direction to go in. I Googled but
it's hard to frame a good search string, so I'm hoping someone can
help.

I have a small network thus:

Windows 2000 PC "SystemA" 192.168.1.2
|
Linux firewall/router 192.168.1.254 ===ADSL===> my ISP
|
Windows 2000 PC "SystemB" 192.168.1.5

In addition to the filtering functions in the Linux machine each
Windows machine runs a personal firewall. "SystemA" runs Kerio
2.1.5. I have reasonable knowledge of TCP, NAT and filtering but I'm
no guru.

As I sit at "SystemB" there's nobody at "SystemA" and hasn't been for
most of the day. And yet inspecting the Kerio log in SystemA via
Windows file-sharing shows an entry about two hours ago thus:

Rule 'TCP ack packet attack': Blocked: In TCP,
207.46.197.59:80->localhost:1145, Owner: no owner

207.46/16 is Microsoft, and I guess that this is something to do with
Windows Update, which is probably comforting; but it's still not right
and I'd like to fix it.

The alternative explanations seem to be:

1. This is a valid response to a Windows Update query; but in that
case why has Kerio lost track of the conversation and treated the
reply from Microsoft as a new (rogue) message? That's a Kerio
question.

2. This is a spontaneous (and "rogue" ) packet from Microsoft, in
which case why has my Linux firewall looked it up in the NAT
translation tables and forwarded it to "SystemA", when in
fact it should have been blocked? That's a firewall question
and I'll take it up in a different group.
(Oh, and what is this packet from Bill and what does it do?)

All detective assistance gratefully received.

Henry Law <>< Manchester, England

Archived from groups: comp.security.firewalls (More info?)

"Henry Law" <lawshouse.public@btconnect.com> wrote in message
news:1b5ka01m26cb93snii8lvuqbfssa5dmojb@4ax.com...
> I'm trying to debug this problem (or establish that it's not a
> problem!) and I'm not sure which direction to go in. I Googled but
> it's hard to frame a good search string, so I'm hoping someone can
> help.
>
> I have a small network thus:
>
> Windows 2000 PC "SystemA" 192.168.1.2
> |
> Linux firewall/router 192.168.1.254 ===ADSL===> my ISP
> |
> Windows 2000 PC "SystemB" 192.168.1.5
>
> In addition to the filtering functions in the Linux machine each
> Windows machine runs a personal firewall. "SystemA" runs Kerio
> 2.1.5. I have reasonable knowledge of TCP, NAT and filtering but I'm
> no guru.
>
> As I sit at "SystemB" there's nobody at "SystemA" and hasn't been for
> most of the day. And yet inspecting the Kerio log in SystemA via
> Windows file-sharing shows an entry about two hours ago thus:
>
> Rule 'TCP ack packet attack': Blocked: In TCP,
> 207.46.197.59:80->localhost:1145, Owner: no owner
>
> 207.46/16 is Microsoft, and I guess that this is something to do with
> Windows Update, which is probably comforting; but it's still not right
> and I'd like to fix it.

"Owner: no owner" says it all. The sender would like you to think that
it's coming from MS. Since it was blocked, there's nothing to 'fix'.

Archived from groups: comp.security.firewalls (More info?)

On Tue, 18 May 2004 16:44:36 -0400, "Alan Illeman"
<illemann@surfbest.net> wrote:

>>
>> Rule 'TCP ack packet attack': Blocked: In TCP,
>> 207.46.197.59:80->localhost:1145, Owner: no owner
>>
>> 207.46/16 is Microsoft, and I guess that this is something to do with
>> Windows Update, which is probably comforting; but it's still not right
>> and I'd like to fix it.
>
>"Owner: no owner" says it all. The sender would like you to think that
>it's coming from MS. Since it was blocked, there's nothing to 'fix'.

In other words, it's a spoofed packet: so far, so normal. But how did
it get through my NAT router / firewall and end up at a machine with a
192.168/16 address? There sure as hell isn't a rule to forward it.

Henry Law <>< Manchester, England

Archived from groups: comp.security.firewalls (More info?)

Henry Law <lawshouse.public@btconnect.com> wrote in
news:bj1la05ht97hs2qksv8t7gfrll73v8aaog@4ax.com:

> On Tue, 18 May 2004 16:44:36 -0400, "Alan Illeman"
> <illemann@surfbest.net> wrote:
>
>>>
>>> Rule 'TCP ack packet attack': Blocked: In TCP,
>>> 207.46.197.59:80->localhost:1145, Owner: no owner
>>>
>>> 207.46/16 is Microsoft, and I guess that this is something to do with
>>> Windows Update, which is probably comforting; but it's still not
right
>>> and I'd like to fix it.
>>
>>"Owner: no owner" says it all. The sender would like you to think that
>>it's coming from MS. Since it was blocked, there's nothing to 'fix'.
>
> In other words, it's a spoofed packet: so far, so normal. But how did
> it get through my NAT router / firewall and end up at a machine with a
> 192.168/16 address? There sure as hell isn't a rule to forward it.
>
> Henry Law <>< Manchester, England

Unless your Linux router/firewall is misconfigured, it's NOT a spoofed
packet. That would never get through the firewall. It's far more likely
to be, as suggested, windows update. The no owner just means that the
application which initiated the original connection, is no longer
listening on port 1145. One possibility is that windows update initiated
the connection, timed out, and went away. The Linux FW tracked the
original connection request, and so, let the ACK packet back through.