The other interesting phenomenon concerns another laptop (yes, two devices that are heavily used "outside" of the protection of the Astaro). About once a week, when this second laptop is connected via L2TP over IPsec, it portscans 255.255.255.255 then the IP of the Windows 2003 Small Business Server and finally, the IP of the multi-function device used to scan to email.
Code:
/var/log/ips/2009/05/ips-2009-05-09.log.gz:2009:05:09-07:27:44 post ulogd[3016]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="ppp0" outitf="ppp0" dstmac="00:00:00:00:00:00" srcmac="00:00:00:00:00:00" srcip="10.x.x.51" dstip="255.255.255.255" proto="17" length="269" tos="0x00" prec="0x00" ttl="128" srcport="138" dstport="138"
/var/log/ips/2009/05/ips-2009-05-09.log.gz:2009:05:09-07:27:45 post ulogd[3016]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="ppp0" outitf="ppp0" dstmac="00:00:00:00:00:00" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.51" dstip="10.x.x.7" proto="17" length="269" tos="0x00" prec="0x00" ttl="127" srcport="138" dstport="138"
/var/log/ips/2009/05/ips-2009-05-09.log.gz:2009:05:09-07:27:46 post ulogd[3016]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="ppp0" outitf="ppp0" dstmac="00:00:00:00:00:00" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.51" dstip="10.x.x.45" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="51814" dstport="161"
No other desktop or laptop IP appears in the IPS logs.
Cheers - Bob