Unknown firewall log entries Home Hub 2

Similar Messages

• Firewall Log Entries

  My firewall log is showing strange activity on my computer.
  I am seeing these entries:
  Dec 13 09:29:39 TheMacPro Firewall[84]: Allow Transmission connecting from xx.xx.xx.xxx:34762 to port 56202 proto=6
  ...and on and on, about 1,000 entries like the one above (but with different IPs). This goes on and on for days, then repeats as the log gets cleared (after 1000K worth of log entries).
  I've Googled the IPs and most of them resolve to strange places, such as New Dehli, Saudi Arabia, and so on.
  Doesn't sound good. Is there a way that I can trace what process on my computer is talking to these IPs?

  Ahhhhhhh...that's gotta be it!
  Um, I mean no, I did not have relations with that application.
  Thanks!

• Firewall log entries originating from Xserve

  Our 3com ADSL NAT router/firewall log shows repeated entries relating to our Xserve (10.4.2 / AFP, DHCP, DNS, NetBoot, Open Directory Master, VPN) inside the firewall. Access attempt typically is repeated every 2 seconds on port 49152. The intended target is a string of different external IP addresses on port 53 and so would appear to be DNS queries – one at least appeared to be a name server. However, the firewall registers them as UDP Flood to Host.
  I'm not aware of any issues arising from this, but having had problems from PC viruses on our LAN I'm a bit nervous about odd firewall entries. Can anyone illuminate or reassure me?
  Martin Inchley

  Ahhhhhhh...that's gotta be it!
  Um, I mean no, I did not have relations with that application.
  Thanks!

• [unknown] in log entry

  Hi,
  could you please help provide me some explanation about this specific log entry?
  08-Nov-2009 20:11:59.79 tcp_intranet tcp_local EE 1 [email protected] rfc822;[email protected] [email protected] <[email protected]> domain.com ([unknown] [10.112.240.101])
  I would like to understand what does the ([unknown] ... mean here? How can change this?
  SJMS 7.1u3
  Thanks,
  Stefan

  varga_stean wrote:
  08-Nov-2009 20:11:59.79 tcp_intranet tcp_local EE 1 [email protected] rfc822;[email protected] [email protected] <[email protected]> domain.com ([unknown] [10.112.240.101])
  I would like to understand what does the ([unknown] ... mean here? How can change this?The "[unknown]" refers to Messaging Servers attempt to perform a DNS lookup of 10.112.240.101 and getting no result i.e.
  bash-3.00# host 10.112.240.101
  Host 101.240.112.10.in-addr.arpa. not found: 3(NXDOMAIN)Why would you need to "change this"?
  Regards,
  Shane.

• Unknown CSRadius Log Entries

  G'Day Guys!
  We're running 2 Cisco Secure ACS v4.2. In the CSRadius-logs about 90 percent of it looks like this:
  RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
  RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
  RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
  RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
  RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
  RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102
  RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102
  RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102
  I'd appreciate it if someone could help us to understand those entries and the behaviour!
  Can you guys give us ideas what to do about it and where to look for it's cause?!
  Thanks alot!

  Hi,
  Those messages look like a DDTS that was found on the 4.2.0.124.0 ACS.
  Basically:
  Logged-In-Users not updated for Ext-DB users with Disable dynamic users. The users are mapped to the correct group during authentication.
  But during radius accounting the group mapping fails and it gets mapped to default group.
  As it was never reported by any customer it is marked as internal found, so not visible to customers.
  However, the latest patch has this issue fixed, so if you are running 4.2.0.124.0, you may want to apply the latest patch.
  Regarding the IDs in bold, there is no decoding for those as they are are incremental IDs to simply identify the internal acs processes ans authnetication attempts. There is no specific decoding for them.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Repeated Window Server Log entries

  My 18 month old iMac 8.1, 24 inch 3.06 is working well, except that from today repeated Window Server Log entries like:
  Oct 01 06:42:24 53 kCGErrorIllegalArgument: _CGXMapShmemInternal : Invalid shared memory id
  constantly showing up every few seconds. This, besides the repeated app.firewall log entries makes me feel like something wrong is going on.
  I would feel satisfied if Experts on this forum would help me with their expertise to deal with this.
  Is this serious or normal or something should be done?
  Any help would be greatly appreciated.
  Best - KrishnaMohan.

  Answering myself. Tried various things, but what solved this problem surprises me. Removing ALL cookies in Safari solved this. Hope this helps someone.
  Best - KrishnaMohan.

• Home Hub 5 Firewall bug causing dropped DSL connec...

  We've had infinity 2 since the start of December (2013) and have had nothing but problems with it.  It frequently (5x a day atm) drops the connection, sometimes it fails to re-obtain the connection so does a full restart.
  We had an engineer round who couldn't find anything wrong with our line, swapped us to another cable pair, but after a week of "stabilisation", the problems were still there.  We had a "new" home hub, which had been left using a test bench WiFi Id, so I suspect it was another faulty return they've given us.  It has been better - possibly 1/2 the number of disconnects, but still having problems.  We had another engineer round, who replaced the backplate on the BT socket with a new one, with better rated capacitor for filtering.  A few days later, not much better.
  What I have noticed from the logs, is that the loss of connection frequently happens a few minutes (normally 2, sometimes 10) after the hub has blocked bogus (normally Chinese) remote admin attempts.  Is there another attempt they're making that kills it, or is there a potential bug in the firewall that trips the reset?
  08:34:03, 01 Feb.
  IN: BLOCK [16] Remote administration (TCP 61.160.195.250:6000->86.134.x.x:22 on ppp3)
  08:05:09, 01 Feb.
  IN: BLOCK [16] Remote administration (TCP 211.75.112.37:61650->86.134.x.x:80 on ppp3)
  It quite often drops the connection just after I have connected using my Android phone (which has no problems with any other device).
  The log (before a reset) also includes bogus entries such as:
  09:08:18, 01 Feb.
  BLOCKED 2 more packets (because of Advanced Filter Rule)
  09:08:17, 01 Feb.
  OUT: BLOCK [44] Advanced Filter Rule (fw/policy/0/chain/fw_ath12_out/rule/0: UDP 0.0.0.0:68->255.255.255.255:67 on ath12)
  Again, the firewall kicking in, just before a reset?  Coincidence?
  Line stats:
  3. Firmware version:
  Software version 4.7.5.1.83.8.173.1.6 (Type A) Last updated 15/01/14
  4. Board version:
  BT Hub 5A
  5. VDSL uptime:
  0 days, 00:28:57
  6. Data rate:
  6446 / 52409
  7. Maximum data rate:
  6616 / 52721
  8. Noise margin:
  6.2 / 6.1
  9. Line attenuation:
  0.0 / 23.2
  10. Signal attenuation:
  0.0 / 21.3
  I'll have to give the line a few more days after last week's engineer visit before they'll listen to me again, but I'm considering cancelling my contract on the grounds they're unable to provide me with a stable broadband connection - despite the same line running standard ADSL perfectly well for 4 years
  Oh, the HH5 also makes a quiet whining and ticking noise if you stick your ear up to it - is this normal?

  You still have the same fault but not with the OR modem. Sounds like the HH5's are faulty
  To say thanks for a helpful answer, please click the white star

• Home Hub 3. Constant connectivity loss. Event log ...

  Trying to get any kind of service out of my BT Infinity provision nowadays is like trying to arrange a tsunami in a desert.
  Time after time after time after time, the Internet is working normally but then a page refuses to refresh and attempts to open another website result only in 'page not found' even though the Internet-connection  icon is glowing steadily in the tray, and when I ask Windows to check on things, it reports that no problems have been found and the connection is working normally.
  Except, of course, it isn't.  I am not a technical expert and therefore haven't much of a clue where to start with this. My Vista OS runs with Panda Cloud AV and Malwarebytes PRO and Windows Firewall, all three of which have always played nicely. Prior to switching to BT Infinity, I had 'ordinary' BT broadband via a Netgear wireless router. The service was trouble-free.
  This morning, I decided to delve into BT Home Hub Manager to re-set to factory default. That in itself took some doing because clicking on the  Firefox bookmark got me nowhere at all: I had to sit here and wait for 10 minutes before the Hub page suddenly appeared as if out of nowhere.
  I found in the event logs a seemingly unending chain of firewall related reports. Rather than read 'em all, I just hit re-set and whoa-hey, after a 5 or 6 minute wait, everything was fine and dandy again. . .
  Until, 20 minutes later, it wasn't. Despite the re-set, Internet connectivity was shot to pieces. I'm on Amazon UK and click to open a new page in a new tab: Page Not Found. On the BBC News website, click on a link to open in a new tab: Page Not Found. Reload any of those exisdting, open pages and the reload circle just spins and spins until. . . Page Not Found.
  Unfortunately, I can't make head nor tail of the log reports in the Firewall section, but typically they read:
  IN: BLOCK [16] Remote administration
  BLOCKED  1 more packet [because of Remote Administration]
  IN: BLOCK [9] Packet invalid in connection
  BLOCKED  4 more packets (because of Packet invalid in connection)
  IN: BLOCK [9] Packet invalid in connection
  BLOCKED  20 more packets (because of Packet invalid in connection)
  BLOCKED 40 more packets (becuase of Packet invalid in connection)
  And so it goes on. . . and on. It's not even clear to me if the Home Hub is doing the blocking anyway, but if it is, then I can't begin to figure out why websites like Amazon UK, BBC News, Speedtest and even Google Maps should be BLOCKED.
  Help appreciated. . . always assuming, this post actually gets through -- I've no idea if this page has gone down or not, because though it's on-screen, that no longer means anything at all.

  Thanks, Ray. Just managed to get back on here, there's been virtually no connectivity at all. One odd thing has been that the Home Hub Manager has opened OK. But it is no longer in agreement with the computer about whether or not connectivity exists. For example:
  1) Click on disconnect in HH Manager, and it reports that the task has been achieved and the button changes to 'connect'.
  But no disconnection has occurred. The Internet icon is still in the tray in its 'connected' state. And it's possible to go on the Net and briefly open up a website that isn't in the FF cache.   But then everything fails again. Alternatively:
  2) Click 'disconnect' in the tray control and the icon changes shows a bid red x. But the HH Manager doesn't agree. It continues to report that the computer is connected to the Internet.
  I'm baffled and wearied. I'll have to relocate the Infinity set-up from downstairs to where this computer is; I'm assuming, I leave the modem in place (the new white flat thing the engineer brought when he installed Infinity)and just disconnect the black HH3 and brin g it upstairs and plug it into the PC?
  Thanks for your help, much appreciated.

• Suspicious entries in Hub's event log

  I'm suddenly seeing a lot of weird IP addresses establishing connections through my Home Hub's firewall. They originate from various places including UK, China, Mauritania, Ukraine, France and the US. What are they and what should I do? Is this some kind of attack?
  Recorded events
  Time and date    Message
  22:56:20, 01 Jun.    IN: ACCEPT [57] Connection closed (Port Forwarding: UDP 192.168.1.69:45490 <-->81.129.77.137:45490 [86.26.183.246:6419] ppp1 NAPT)
  22:54:13, 01 Jun.    IN: ACCEPT [54] Connection opened (Port Forwarding: UDP 192.168.1.69:45490 <-->81.129.77.137:45490 [86.26.183.246:6419] ppp1 NAPT)
  22:52:43, 01 Jun.    IN: BLOCK [9] Packet invalid in connection (TCP 173.194.34.134:443->81.129.77.137:60427 on ppp1)
  22:44:42, 01 Jun.    IN: ACCEPT [57] Connection closed (Port Forwarding: UDP 192.168.1.69:45490 <-->81.129.77.137:45490 [86.26.183.246:6419] ppp1 NAPT)
  22:43:49, 01 Jun.    IN: ACCEPT [57] Connection closed (Port Forwarding: UDP 192.168.1.69:45490 <-->81.129.77.137:45490 [50.142.102.35:27416] ppp1 NAPT)
  22:33:47, 01 Jun.    IN: ACCEPT [57] Connection closed (Port Forwarding: UDP 192.168.1.69:45490 <-->81.129.77.137:45490 [86.26.183.246:6419] ppp1 NAPT)
  22:32:57, 01 Jun.    IN: ACCEPT [57] Connection closed (Port Forwarding: UDP 192.168.1.69:45490 <-->81.129.77.137:45490 [41.188.105.33:31040] ppp1 NAPT)
  22:31:41, 01 Jun.    IN: ACCEPT [54] Connection opened (Port Forwarding: UDP 192.168.1.69:45490 <-->81.129.77.137:45490 [86.26.183.246:6419] ppp1 NAPT)
  22:30:57, 01 Jun.    IN: ACCEPT [54] Connection opened (Port Forwarding: UDP 192.168.1.69:45490 <-->81.129.77.137:45490 [41.188.105.33:31040] ppp1 NAPT)
  22:26:20, 01 Jun.    IN: ACCEPT [57] Connection closed (Port Forwarding: UDP 192.168.1.69:45490 <-->81.129.77.137:45490 [46.203.97.224:17071] ppp1 NAPT)
  01:55:25, 14 Jan.    <<<<<<<<<<<<<<<<<<<< Limit of uservisible log >>>>>>>>>>>>>>>>>>>>

  benjp88 wrote:
  ill disabling this affect online gaming?
  If you are running game which needs incoming ports, then simply use port forwarding, and forward the ports that the game needs.
  At a guess, you are running a game or application on a device at IP address, 192.168.1.69 which needs incoming port 45490. You can map this manually
  There are some useful help pages here, for BT Broadband customers only, on my personal website.
  BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

• HOME HUB - EVENT LOG - Help with translation pleas...

  Have just found the event log on the Home Hub and am trying to uderstand what it is telling me. For today, there are many similar entries such as copied below;
  VOIP: [2.0A] [XXXXXXXX] [FXS DECT1 DECT2 DECT3 DECT4 DECT5] 200 OK - SIP message received
  VOIP: [2.0A] XXXXXXXXX] [] 501 Not Implemented - SIP message sent
  VOIP: [2.0A] [kas] [-] REGISTER - SIP message received
  Could someone please give me some idea what these entries relate to?
  Thanks
  EDIT; On reflection, I think the following are better examples of my concern that someone may be hacking into our hub / broadband or does the ' not implemented ' comment mean that the security has kicked in and rejected the attempt?
  VOIP: [2.0A] [john] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [john] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [daniel] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [daniel] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [Amanda] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [Amanda] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [andrew] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [andrew] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [jennifer] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [jennifer] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [newuser] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [newuser] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [computer] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [computer] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [calvin] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [calvin] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [charles] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [charles] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [paul] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [paul] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [dave] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [dave] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [steve] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [steve] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [tsinternetusers] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [tsinternetusers] [-] REGISTER - SIP message received
  13:31:32  16 Aug
  VOIP: [2.0A] [tsinternetuser] [] 501 Not Implemented - SIP message sent
  13:31:32  16 Aug
  VOIP: [2.0A] [tsinternetuser] [-] REGISTER - SIP message received

  edit the post as you're showing your VOIP number (If your BBT number starts 01).
  AFAIK it's something to do the hub phone set up BUT I'm not too sure.
  DECT 1 to 5 (5 handsets can be registered)
  -+-No longer a forum member-+-

• Odd hub log entry

  i was playing and online game earlier tonight and all of a sudden i got disconnected when i finally managed to get my pc to connect up to my router (i hade to remove the phone cable and perform a power cycle as simple restart button wasnt enough) i found the following log entries in the machine
  23:19:52  22 Jul
  IDS proto parser : tcp data on syn segment (1 of 1) : 173.201.146.1 217.42.75.241 0419 TCP 80->31594 [S.A...] seq 624090545 ack 102806882 win 16384
  23:16:31  22 Jul
  SNTP Synchronised again to server: 213.123.26.170
  23:10:04  22 Jul
  IDS proto parser : udp null port (1 of 1) : 82.33.120.197 217.42.75.241 0048 UDP 0->1948
  at the same time sa the first entry was made my 2 wondows vista pc's we cut off from the router
  and at the same time as the secodn entry my 2 win xp pc's were cut off as well
  it took me a while to get everythign reconected to the internet but i cant seem to find any reason for what has happend
  i realsie its an intrusion detection log entry but it means nothing to me and trying to google for it returned a lot of nonsence about p2p programs but nothing that matched the entries
  should prolly mention i have a V2(A) home hub
  Hub Firmware Information
  Current firmware
  Version 8.1.H.J (Type A)
  Last updated
  28/01/10
  so am kinda hoping this is the lastest update
  any ionfo on what just happend would be nice and also why the wireless keeps getting turned on when this stuff happens (i have it turned off since i dont have anythign i need connectiong wirelessly)

  There is an issue with some older versions of the home hub which causes loss of connection if the IDS events fill up the internal memory.
  This causes loss of DNS, which can be fixed by clearing the IDS logs. I thought this problem had been fixed in later firmware releases.
  On my old home hub I run a script to clear the IDS logs at regular intervals, which sorts the problem out.
  The alternative is to reboot the hub.
  There are some useful help pages here, for BT Broadband customers only, on my personal website.
  BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

• Unknown users connecting to BT home hub

  So I was poking around on the home hub and on the DHCP page I can found:
  Unkown Host
  a8:e3:ee:94:f4:0b
  192.168.1.5
  00:23:48:45
  Exactly as this - which is very odd as we have no devices with this MAC address. It is definately connected as I can ping it:
  Macintosh:~ graeme$ ping 192.168.1.5
  PING 192.168.1.5 (192.168.1.5): 56 data bytes
  64 bytes from 192.168.1.5: icmp_seq=0 ttl=255 time=6.968 ms
  64 bytes from 192.168.1.5: icmp_seq=1 ttl=255 time=3.328 ms
  64 bytes from 192.168.1.5: icmp_seq=2 ttl=255 time=3.183 ms
  64 bytes from 192.168.1.5: icmp_seq=3 ttl=255 time=3.312 ms
  64 bytes from 192.168.1.5: icmp_seq=4 ttl=255 time=5.286 ms
  64 bytes from 192.168.1.5: icmp_seq=5 ttl=255 time=10.186 ms
  ^C
  --- 192.168.1.5 ping statistics ---
  6 packets transmitted, 6 packets received, 0% packet loss
  round-trip min/avg/max/stddev = 3.183/5.377/10.186/2.548 ms
  But I can't find where it is or how to kick it off. I have the network "secured" as much as the hume hub will allow so am not happy to find interlopers there. Also noticed that the number of MB downloaded the other day was rather high (~ 1GB/day) considering no one had been here.
  Very odd. Any home hub experts out there who can tell me how to disconnect people? The odd thing is that there is no entry in the "Devices" section of the page. Any suggestions or insight will be appreciated!
  Thanks,
  Graeme
  Solved!
  Go to Solution.

  graemewinter wrote:
  Funny thing that - I do. After rummaging through the network settings on the PS3 it seems that it is by default in 'lurk mode' where it does not register itself with the DNS hence could not get to it from the home hub. It was switched off. Odd.
  Also seems that the amount of bandwidth used according to BT on viewYourBroadbandUsage is *much* lower than that reported by the router. Odd indeed. Hmm...
  Anyhow, thanks DS for the pointer!
  No probs
  You could always disconnect the PS3 from the hub when online gaming isn't needed...
  (And when you do, name the device via the hub manager, fix it to the issued DHCP address and no more 'who is this on my system')
  -+-No longer a forum member-+-

• Home Hub 5 firewall rules and TP Link routers

  I am not yet a BT customer but am looking to sign up for Infinity and I understand I will get a Home Hub 5 unit ... however I would prefer to use my TP-Link AC1750 which has proven to be excellent with it's WIFI signal. My TP-Link is a cable version, not the ADSL version.
  I understand the HomeHub 5 now contains the VDSL modem built in (rather than separate) so I suspect I'll need to hang my TP-Link off one of the HomeHub 5 Gbe ports and disable Wireless on the Home Hub. Has anyone tried this? Do you know if the firewall rules can be set to put my TP Link in a "DMZ" , i.e. no firewall protection, because I'd prefer to do that as my TP Link is a router/firewall combined and it will make it easier for getting my VPN ports working etc.
  Alternatively do you know if the cable you would normally plug into the HomeHub5 "Broadband WAN" plug is just straightforward Gbe, i.e so I can put it straight into my TP Link and not use the HomeHub 5 at all?
  Thanks
  Solved!
  Go to Solution.

  Keith,
  Thanks very much for your reply. So I can't use the HomeHub 5 as a cable modem, but do you know what kind of broadband/WAN connection BT OpenReach provide that goes into the HomeHub? Is that straight-forward Gbe that I could probably plug into my TP Link, as it's designed to take a Gbe connection? (Currently it is connected into one of the LAN ports of my ADSL router/modem/firewall device as I'm still on ADSL but was planning my upgrade to Infinity)
  Alternatively, I could connect my TP Link into one of the Home Hub 5 LAN ports, so long as I can designate that port as a DMZ port (i.e. no firewall protection) so that my TP Link will be the only one controlling the firewall rules. Is it possible to make one port, or one device a DMZ device on the Home Hub 5?
  Thanks

• Weird Sky Hub Log Entries

  Hello all, I'm after a bit of assistance with some log entries I am seeing. I have a couple of devices on the other side of my Sky Router, and have opened Telnet and SSH ports on the router so that I can access these devices externally. This works fine, but for security I ask the router to log every connection attempt, and that's where things get interesting. Im seeing some pretty weird log entries, and I'm hoping you can assist me in decoding them. Every few seconds there is a log entry like this: Jul 22 07:31:25 syslog:always->TELNETIN=ptm0.1 OUT= MAC=c0:3e:0f:2e:89:8e:00:d0:f6:80:a1:32:08:00:45:00:00:3c:b7:20:40:00:35:06:6e:b8:de:87:d2:3d src=222.135.210.61 DST=151.231.<my IP> Now I can work out that this is an attempted Telnet session from 222.135.210.61  which belongs to China Unicom Liaoning.  My questions 3 are: What is that MAC address all about!Can I specifically block this IP from getting to me? Has the telnet session been permitted, or denied?

  The telnet session would have been permitted because you have the port open; but you do have passwords on your telnet accounts, so no harm done, as it won't get through without a password for your telnet server. You can block these requests by IP address, but you'd end up blocking and adding IP addresses on a daily basis. i've run a  honeypot on my connection, and found that the majority of these attempts are rather pathetic in attempt to attack the telnet service, in my opinion it's very unlikely to cause any issues with any up to date patched telnet service. The MAC is to do with Ethernet routing at the lower level of the protocol stack, again nothing to worry about.

• Firewall log - what's this mean?

  I had a hardware router/firewall and IP address server, just down stream from my cable modem until that device died this week. I've reconfigured what I had to use my Airport Graphite to distribute IP addresses and share a single IP address for all the devices on the home network "using NAT and DHCP" and connected 2 computers and a network printer with a simple Ethernet switch/hub. (BTW, this provides noticeably faster speed to the internet!) I already had the OS 10.4 firewall turned on in the 2 MacBooks, but I also now enabled Stealth Mode and for the first time "Firewall logging."
  So I later looked in the log file and I find:
  "Jan 8 20:49:31 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80
  Jan 8 20:49:31 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80
  Jan 8 20:49:33 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80
  Jan 8 20:49:33 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80"
  10.0.1.8 is the IP for this MacBook. I think this says I'm being scanned by someone attempting to use port 52066 (???), from some other computer named 74.125.19.104 port 80 - is that correct? Should I be worried? Is there something else I should enable or disable? Naturally, I turned on the minimum number of services in the Firewall. BTW, how could I find out who/where 74.125.19.104 is? This went on for about 3 minutes last night but seems to have stopped now.
  I think this also makes me believe I should go back to a hardware firewall upstream, right at the 'port of entry,' but I don't see much for sale these days (at home prices) that is a true firewall. I know a new Airport Extreme Basestation says it has a "built-in firewall" but I can't find any information about that feature, ie is it more than just NAT translation? Does anyone have a recommendation for a reasonably priced, easy to set up and manage firewall?
  thanks!

  I have Snort NIDS running on my computer and get port scans similar to this reported to me all the time from numerous websites - for example, from these very discussions.apple.com forums. Port 443 is a server https port, your port 49235 is in all likelihood the randomly created outbound port that you initially established a web browsing connection with, hence, assuming this to be an established connection, it would have been forwarded through your router to your computer (to your 192.168.x.x address). This IPA belongs to akamai.com, I think they handle a lot of online purchasing and online billing stuff and stuff that requires logging in in some manner or another -- were you paying bills or buying something online or in an authenticated website at the time this occurred?
  I don't understand why these port scans from established connections to reputable web servers happen, but I don't believe them to be abnormal. Perhaps someone who is a subject matter expert in enterprise-class web servers could weigh in here and explain what may be going on here.