I was getting scanned by someone just a second ago (during my keyboard
problem in the previous message), and I noticed my firewall logs firing
stuff left and right. I decided even though my firewall is fort knox,
I'd get off and get a new IP.
I did an "ifdown ppp0" and supposedly it disconnected. ifconfig however
has a different story.
pts/0 root@gw:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:B4:86:A8:11
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1355741 errors:0 dropped:3 overruns:0 frame:6
TX packets:2039126 errors:0 dropped:0 overruns:0 carrier:0
collisions:44 txqueuelen:100
Interrupt:11 Base address:0x300
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:59574 errors:0 dropped:0 overruns:0 frame:0
TX packets:59574 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
ppp0 Link encap:Point-to-Point Protocol
inet addr:206.172.218.195 P-t-P:206.172.218.244 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:67813 errors:0 dropped:0 overruns:0 frame:0
TX packets:50583 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
pts/0 root@gw:~# uname -a
Linux gw.capslock.lan 2.2.16-gw1 #1 Sat Jul 29 04:32:20 EDT 2000 i486 unknown
This is a stock 2.2.16 kernel with no patches, running on a 486 firewall.
pts/0 root@gw:~# uptime
8:56pm up 14 days, 23:24, 1 user, load average: 0.00, 0.01, 0.00
pts/0 root@gw:~# ps ax
PID TTY STAT TIME COMMAND
1 ? S 0:07 init
2 ? SW 0:15 [kflushd]
3 ? SW 0:07 [kupdate]
4 ? SW 0:00 [kpiod]
5 ? SW 0:43 [kswapd]
311 ? SW 0:01 [portmap]
326 ? SW 0:00 [lockd]
327 ? SW 0:00 [rpciod]
336 ? SW 0:00 [rpc.statd]
387 ? S 0:43 syslogd -m 0
396 ? S 0:01 klogd
410 ? S 0:00 /usr/sbin/atd
424 ? S 0:01 crond
438 ? SW 0:00 [inetd]
452 ? S 7:01 named -u named
461 ? S 2:51 /usr/sbin/sshd
479 ? SW 0:00 [rpc.rquotad]
488 ? SW 0:02 [rpc.mountd]
497 ? SW 1:24 [nfsd]
498 ? SW 1:25 [nfsd]
499 ? SW 1:23 [nfsd]
500 ? SW 1:27 [nfsd]
501 ? SW 1:26 [nfsd]
502 ? SW 1:25 [nfsd]
503 ? SW 1:23 [nfsd]
504 ? SW 1:22 [nfsd]
563 ttyS0 SW 0:00 [gpm]
577 tty4 SW 0:00 [mingetty]
578 tty5 SW 0:00 [mingetty]
581 tty6 SW 0:00 [mingetty]
582 ttyS1 SW 0:00 [mingetty]
3288 ? S 5:59 fetchmail -d 60
4769 ? S 0:05 sendmail: accepting connections on port 25
4817 ? S 0:11 httpd
4821 ? SW 0:00 [httpd]
4822 ? SW 0:00 [httpd]
4823 ? SW 0:00 [httpd]
4824 ? SW 0:00 [httpd]
4825 ? SW 0:00 [httpd]
4826 ? SW 0:00 [httpd]
4827 ? SW 0:00 [httpd]
4828 ? SW 0:00 [httpd]
6901 ? SW 0:00 [smbd]
6910 ? S 0:09 nmbd -D
6913 ? SW 0:00 [nmbd]
10105 tty3 SW 0:00 [mingetty]
13279 tty2 SW 0:00 [mingetty]
22246 tty1 S 0:00 /sbin/mingetty --noclear tty1
22654 ? S 0:05 /usr/sbin/sshd
22656 pts/0 S 0:01 -bash
22829 pts/0 R 0:00 ps ax
As you can see from the above "pppd" is *NOT* running on this box". pppd
has been off now for 5-10 minutes, however ifconfig claims ppp0 is still
up:
pts/0 root@gw:~# ifconfig ppp0
ppp0 Link encap:Point-to-Point Protocol
inet addr:206.172.218.195 P-t-P:206.172.218.244 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:67813 errors:0 dropped:0 overruns:0 frame:0
TX packets:50583 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
I *know* that it is not, because I have disconnected the phone line
cable from the computer, and have a dialtone.
Also, for the record, *ALL* of the running daemons that you see above, are
all firewalled off, and only visible to the internal LAN.
Oddly, my ppp interface is "ppp0" however my firewall logs show:
53 216.209.120.18:1025 L=164 S=0x00 I=47612 F=0x0000 T=14 (#5)
Oct 16 20:47:47 gw kernel: Packet log: input DENY ppp1 PROTO=6 63.160.183.233:80 216.209.120.18:1143 L=52 S=0x00 I=62447 F=0x4000 T=56 (#5)
Oct 16 20:47:48 gw kernel: Packet log: input DENY ppp1 PROTO=17 198.41.0.4:53 216.209.120.18:1025 L=164 S=0x00 I=42391 F=0x0000 T=15 (#5)
Oct 16 20:47:57 gw kernel: Packet log: input DENY ppp1 PROTO=17 210.132.100.101:53 216.209.120.18:1025 L=164 S=0x00 I=1050 F=0x0000 T=12 (#5)
Oct 16 20:48:06 gw kernel: Packet log: input DENY ppp1 PROTO=17 202.153.114.101:53 216.209.120.18:1025 L=164 S=0x00 I=24606 F=0x0000 T=14 (#5)
Oct 16 20:48:08 gw kernel: Packet log: input DENY ppp1 PROTO=17 192.36.144.133:53 216.209.120.18:1025 L=164 S=0x00 I=12036 F=0x0000 T=16 (#5)
Oct 16 20:48:15 gw kernel: Packet log: input DENY ppp1 PROTO=17 198.41.3.101:53
216.209.120.18:1025 L=164 S=0x00 I=28604 F=0x0000 T=14 (#5)
Oct 16 20:48:15 gw modprobe: modprobe: Can't locate module binfmt-0000
Oct 16 20:48:15 gw modprobe: modprobe: Can't locate module binfmt-0000
Oct 16 20:48:16 gw pppd[22592]: Terminating on signal 15.
Oct 16 20:48:16 gw pppd[22592]: Connection terminated.
Oct 16 20:48:16 gw pppd[22592]: Connect time 15.0 minutes.
Oct 16 20:48:16 gw pppd[22592]: Sent 17114 bytes, received 43630 bytes.
Oct 16 20:48:17 gw pppd[22592]: Hangup (SIGHUP)
I looked back through the logs and all previous entries are "ppp0" showing up.
This time however it is ppp1, and someone seems to be looking for NFS or
something. Why is ppp1 coming up? ppp0 refuses to go down no matter what,
no pppd running, even the syslog acknowledges that ppp came down, however
the interface will not leave the kernel if tables.
Is this a known bug with 2.2.16?
----------------------------------------------------------------------
Mike A. Harris - Linux advocate - Open source advocate
Computer Consultant - Capslock Consulting
Copyright 2000 all rights reserved
----------------------------------------------------------------------
Want to try a new high performance open source web server? Try Caudium!
http://caudium.org http://caudium.sourceforge.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Oct 23 2000 - 21:00:10 EST