Peculiar firewall log entries...need help interpreting..

Protocol 1 is ICMP...

Yes, this is a TCP from port 1325 (on Host A) to port 445 (on host B)...

Hummm. You are seeing these packets on your firewall/router? Even though they are communicating on the same LAN (I take it that it is the subnet X.Y.Z). If that is so, I would check that both hosts are configured correctly (netmask, default route)

The only time I have seen this befire it was a mis-conifiguration with a netmask...

Check that and let us know...

-- Michael

Michael:

Thanks for the assist.

I *may* have a lead on this, or at least a start.

It turns out that all of those weird firewall log entries originate from the same box - a laptop - running XP Pro. I discovered, quite accidentally, that when an XP Pro laptop emerges from hibernation, it doesn't always restore its network configuration properly - in particular, its routing table. When this laptop was investigated - sure enough, its routing table had only the loopback route and the default route, and the default route goes through the gateway (wish I could remember the KB article!). I had to disable/re-enable the wireless network interface connection to get the table reset.

On that basis, I theorized that when the laptop came out of hibernation and tried to talk to a peer, it couldn't find a routing for the subnet it needed, and tried the default gateway. And the firewall is set up to reject inbound packets that appear to originate from a private address (so, in that regard, it the firewall worked precisely as it was supposed to!).

Apparently, the fix for the above laptop/hibernation problem is SP2, and I haven't yet been bold enough to apply that 8-)

What would be your opinion of this theory?

-David

Michael J. Pelletier wrote:

appreciate

puzzles me

request

connect to

Hi, Lars...

I understand that the gateway should necessarily be able to get anywhere on my network, but my point was that the packets reflected in the particular entries of the firewall log shouldn't even be GETTING to the gateway. These two hosts were on the same subnet, so unless I'm just misunderstanding something pretty fundamental, the two peers should have been able to contact each other directly. The only other inference is that, for some reason, that one machine was configured to have EVERYTHING go through to the default gateway (and there's only one subnet on the network - the gateway is the only thing that even knows about the external internet).

That's what prompted me to recall the MS KB article on troublesome XP Pro laptops coming out of hibernation. With no entries in the routing table except loopback and the default gateway (which is on the laptop's subnet), a packet destined for what should be the laptop's subnet gets shuttled to the gateway, where the firewall caught and trapped it via a rule against routing an inbound packet that appears to originate from a private IP address. When the laptop's routing table was restored, the weird firewall log entries disappeared.

-David

Lars M. Hansen wrote:

default

hibernation

address

network.

On 27 Jan 2005 06:09:20 -0800, intrepid snipped-for-privacy@hotmail.com spoketh

Your default gateway should know how to get to any part of your network. If your firewall is defined as your default gateway and it doesn't do routing, then perhaps there is a router on your network that knows. Since there are more than one subnet on your network, then there's got to be some device somewhere that knows how to route to anywhere. Configure your computers to use that as your default gateway, and it'll redirect the clients to the device it needs to talk to.

Lars M. Hansen

On 27 Jan 2005 15:28:15 -0800, intrepid snipped-for-privacy@hotmail.com spoketh

Sorry, I got the impression that the two machines were not on the same subnet...

Lars M. Hansen