1. Home
  2. Networking Firewalls
  3. Router logs

Router logs

Let me start by saying I know nothing about firewalls and ports. However I have just started looking at the router logs on my wireless network. And I'm a little worried. For example I seem to be getting masses of Access Frowards from an almost sequential list of ports i.e:

116|09/02/2006 15:24:28 |192.168.1.34:1591 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 117|09/02/2006 15:24:28 |192.168.1.34:1589 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 118|09/02/2006 15:24:28 |192.168.1.34:1587 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 119|09/02/2006 15:24:28 |192.168.1.34:1585 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 120|09/02/2006 15:24:27 |192.168.1.34:1583 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 121|09/02/2006 15:24:27 |192.168.1.34:1581 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 122|09/02/2006 15:24:27 |192.168.1.34:1579 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 123|09/02/2006 15:24:27 |192.168.1.34:1577 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 125|09/02/2006 15:24:27 |192.168.1.34:1575 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 126|09/02/2006 15:24:26 |192.168.1.34:1573 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 127|09/02/2006 15:24:26 |192.168.1.34:1571 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W) 128|09/02/2006 15:24:26 |192.168.1.34:1569 |69.16.237.154:80 |ACCESS FORWARD Firewall default policy: TCP (L to W)

To my untrained eye, it seems odd that this access just goes through all the available ports (I have many more logs - it seemed to start with port 1028 and goes up to 4999 before starting again). This is keeping the router busy all the time with up to 10 accesses per minute solidly throughout the day. Is this normal? Some of the destination ips seem to be expected (Google etc) others just point mysteriously at RIPE.NET or LIQUIDWEB.COM which we haven't knowingly visited but maybe they are adverts or something?

Am I worrying unncessarily?

thanks for any advice

Reply to
deja
Loading thread data ...

[compton ~]$ host 69.16.237.154 154.237.16.69.IN-ADDR.ARPA domain name pointer host1.ephotozine.com [compton ~]$

Someone surfing. The multiple access is because they are retrieving multiple pages. It's from your wireless side, going out to the world.

Normal - the single web page contains a number of URLs, and each has to be retrieved separately.

Are you the one accessing these sites, or are you acting as a public hot spot because you left the router in the default condition?

For a system in use? Sure.

Or maybe the tool you are using to identify the names of sites is not the right one to be using. 'RIPE.NET' is actually 'Reseaux IP Europeens' which is the European regional Internet Registrar - one of the Internet agencies that allocates IP addresses. "LIQUIDWEB.COM" is a bandwidth provider in Lansing, Michigan (roughly half way between Toronto and Chicago). They happen to "own" the netspace used by that ephotozine.com host.

[compton ~]$ arinwhois 69.16.237.154 [whois.arin.net]

OrgName: Liquid Web, Inc. OrgID: LQWB Address: 4210 Creyts Rd. City: Lansing StateProv: MI PostalCode: 48917 Country: US NetRange: 69.16.192.0 - 69.16.255.255 CIDR: 69.16.192.0/18 NetName: LIQUIDWEB-4

[...] [compton ~]$

If the local source of the requests (192.168.1.34) is your system, OR if you are intentionally running a public hot-spot - probably OK. If this is not the case, yeah you may have a problem. Remember that most windoze style networking setups are configured such that anyone can use them out of the box. Security is intentionally disabled because most users don't want to read the crappy manual that came with the product, and the product manufacturer saved money by not providing clear instructions of how to set things up securely because they knew no one is interested.

Old guy

Reply to
Moe Trin

thanks for this - I didn't understand that it is normal to use all the ports like this. In that case I am worrying about nothing ( I think!)

Moe Tr> On 2 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article

Reply to
deja

Your logs are showing outbound requests from your browser. Your router logging obviously logs outbound traffic, by the looks of it,

192.168.1.34 who ever is using it is enjoying the web.. You will know the direction of the traffic from the firewall default policy. a. L to W ---.> outbound b. W to L -----> inbounnd c. W to W -----> internet to router WAN.
Reply to
maybenot

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.