Dec 30 08:43:17 sentryhost kernel: Packet log: input DENY eth0 PROTO=6 a.b.c.d:4328 w.x.y.z:111 L=40 S=0x00 I=38248 F=0x400
The first IP is that of the originating address (I assume ipchains output here...) which tells me the port 4328 is not what is interesting, but instead port 111! Which is sunrpc. Now, I'm entirely sure with the censored IP addresses in your logs, but I am guessing that the ip address sending from port 1150 to port 113 (ident) is trying to figure out the username of whoever is connecting to your portmapper... sounds like nfs???
anyway -- the thin and skinny is that port 1150 and 4833 are not what you should be interested in, those are the _source_ ports which are dynamically assigned (> 1024), the _dest_ ports are what is interesting here.
Of course I am not entirely sure because of the way the addresses are edited out of the logs... but I would guess that the letters a.b.c.d would actually have two different IP addresses in the actuall log... likewise with w.x.y.z
Good Luck!
Received on Jan 11 2000
Intro
