On Mon, 2004-08-23 at 18:48, Michael Havens wrote:

> 	DROPPED IN= OUT=eth0 MAC= SRC= DST=10.255.255.255 
> 	LEN=155 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 
> 	DPT=631 LEN=135
> 

This is CUPS sending out a broadcast of what printers are configured on
your system.  You can set 'Browsing Off' in /etc/cups/cups.conf.

> 	DROPPED IN=ppp0 OUT= MAC= SRC=64.31.26.84 DST=67.224.21.83 
> 	LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=8497 DF PROTO=TCP 
> 	SPT=2274 DPT=135 SEQ=1888843780 ACK=0 WINDOW=64240 
> 	RES=0x00 SYN URGO=0 OPT (020404AC01010402)
> 

Unfortunately, this is normal.  You will see lots of trolling for
exploitable services on any system connected directly to the 'net.  

> Ohhhhhh! I get it. I have to go into the firewall and allow for it to receive 
> packets from the ethernet (10.10.10.2). Is this corresct?

This question is the subject of numerous books on firewalls.  

I'm assuming eth0 is your internal interface and ppp0 is your external
interface.  It's not bad having really tight rules on both the internal
and external interfaces.  OTOH, there will be a certain pain factor
associated with restrictions placed on the internal interface.  It's the
eternal balance between security and usability.  I'm also assuming this
last question refers to the CUPS broadcast packet.  If you don't have
any other systems which needs to print through this system, or you're
willing to manually configure CUPS on those systems, I'd just change
CUPS to not send out broadcast messages.  

One other thing (forgive me if I'm stating the obvious), but it's really
impotent to run an absolute minimum of services on a system directly
connected to the 'net.  

rna

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss