excessive firewall (linux router) logging
Page 1 of 1 (8 posts)
Tags:
None
Registered Member 
|
Hey all, I wonder if anyone can help explain something, it might be a problem on my firewall, my local machine configuration or with the ktorrent client, I cannot tell which, in essence when using ktorrent my firewall is logging tens of thousands of packets like this
I am behind a nat, iptables firewall, 192.168.1.5 is my lan box running ktorrent, the firewall is at 192.168.1.1, my port usage in ktorrent is 13762 both tcp and udp are forwarded on the firewall box thus
and the same for udp thus
giving
and
this is all going to wrap horribly I just know it will be an illegible scrunch of numbers, but ... The firewall is a smoothwall box kernel 2.4.32 which has served admirably for years and is performing perfectly as ever, eth0 is the internal lan, eth1 is mostly unused but is a spare lan, a dmz and eth2 is the external facing interface with the public ip. On the internal host running (FC3 2.6.12-2.3.legacy_FC3) ktorrent, the firewall is also active but the appropriate ports are open
ok everything is fine uploading and downloading are great, DHT looks like it's working too, it has nodes and occasionally tasks So what the hell am I **** about? My firewall logs are bursting with these inexplicable packets as at the top of the message
the source port (SPT) is a random high port, the source SRC ip is 192.168.1.5 and the DST is also 192.168.1.5 and the DPT is 13762, the port ktorrent is listening on and accepting connections on why are these even going out on the wire and hitting the firewalls internal interface, why is ktorrent trying every 6 seconds to connect (SYN) to itself using the lan ip of itself and why are these hitting the wire instead of just being handled by the kernel internally. I'm pretty knowledgable but this is driving me round the twist and my firewall logs and filled with this junk, why is the router even seeing these at all as being contained on the local lan it should just blank them. Had this on 2.0.2 same on 2.0.3. p.s. I'm not really pulling my hair out but if I understood better what is going on or even found away to stop this behaviour I would be happier. |
|
Moderator
|
That is also strange, if ktorrent were to connect to itself, you would expect the WAN IP address as the destination address. Maybe NAT is allready applied when the packets are logged, and the actual destination address is the WAN IP address ? You should try running ethereal on your LAN computer and then try to match the port number with your firewall logs for TCP SYN packets. |
|
Registered Member
|
George wrote:
It seems to make three attempts with each random high source port, this snip is from the firewall log on the router box
showing three tries with SPT=SPT=48513, then it repeats again with different SPT, next is 3x 48534, next again is 48547, no pattern there. Below is the same 3 SYN packets as they left the nat'd box (192.168.1.5) as you can see their destination 82.xxx.xxx.xxx is my routers external IP, I've munged it but any bright spark can figure it out if from the hex. 1 hourtime difference is due to GMT/BST
As you can see it is connecting to itself but rather than using 127.0.0.1 or 192.168.1.5, it is using the real external interface of the router as the destination which is not going to work in a NAT setup. Thanks for your help in running this down, I'm not sure if this is something that can be fixed but if it can determine that the external ip is not on any local interface, and act accordingly, it sure would keep my logs quieter. I've no knowledge what it is trying to do when connecting to itself in these instances and whether any functionality is lost by its inability to do so. |
|
Registered Member
|
|
|
Registered Member
|
jdong wrote:
Yeah I think that's it on both count jdongs, turning off DHT did not stop it immediately, possibly an afterglow efect, but stopping uploads then exiting the client has ended that logging. I was looking at it from the point of view that it wanted to connect to itself but now realise that my own ip was just one of many and indistinguishable. And NAT was just just doing its job. There is an element of chicken and egg about it then, if it does not know what its eventual routable ip is to the outside world it cannot exclude itself unless the user supplies it with it's own external ip not in the style of say passive ftp where it is used by supplying it to the connecting client on the control port but in order to exclude it from using it itself, although if it could just somehow query a remote DTH client to say 'who the hell am I?' Anyhow I just installed this recently the other day just to grab one file I was interested in, it looks a nice stable and very friendly client, last time I tried some java based thing and couldn't get rid of it quickly enough it was so bad. Understanding the problem is more than half way to solving it. thx guys/gals |
|
Registered Member
|
|
|
Moderator
|
Not really, the other peers will learn your IP address, from where your announce message came from and will add it to their internal database and pass it along to other peers. And when you ask one of those other peers for a list of peers, yours can be in there. We don't really check on this, because we will automatically refuse connections from ourself. |
|
Registered Member
|
Page 1 of 1 (8 posts)
Bookmarks
Who is online
Registered users: Bing [Bot], blue_bullet, Google [Bot], rockscient, Yahoo [Bot]
