Kim:
Good point. If there was a machine on the LAN that was
trying to ping (or otherwise connect with) 0.0.0.0, it could
generate this sort of response. But...hmmm...would the "destination
unreachable" reply be said to come *from* 0.0.0.0? I would think
it would be from my ISP's routers. Or, possibly, these ICMP
messages always come from a broadcast address, where the source
IP is the address that's unreachable (eg, 80.135.217.223). I
should Google for how these ICMP messages are put together, and
update fwlog.pl accordingly.
-Scott
On Tue, 9 Jul 2002 [EMAIL PROTECTED] wrote:
> Aanhalen "Scott C. Best" <[EMAIL PROTECTED]>:
>
>
> Just gambling here but couldn't a packet coming from the inside
> with an echo request or (probably any data destined for 0.0.0.0)
> provoke this kind off response?
>
> A capture of network traffic should help you out if that is
> the case.
>
> Kim Oppalfens
>
> >
> > PS: These are some strange logs you're seeing. :) I believe
> > they're getting logged because of the "0.0.0.0" return
> > IP address that the packets say they are from. That IP
> > address was historically used for broadcasts, but is now
> > much more likely a sign of trouble. A lot of firewall
> > rulesets block traffic from that IP address straight away.
> >
> > PPS: The message that it's sending in this log is an ICMP
> > error message "Destination Unreachable". My hunch is
> > that your LEAF box is on a cable-modem environment,
> > and someone in your neighborhood is experiment with a
> > rather sloppy and noisy DOS attack. You may want to
> > send this logfile to your ISP's "abuse" email.
> >
> >
> > > Message: 1
> > > Date: Sun, 07 Jul 2002 02:27:08 -0700
> > > From: Michael McClure <[EMAIL PROTECTED]>
> > > To: Leaf Mailing List <[EMAIL PROTECTED]>
> > > Subject: [leaf-user] Anybody know what happened to:
> > >
> > > http://www.echogent.com/cgi-bin/fwlog.pl
> > >
> > > Its not there anymore....
> > >
> > > Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0
> > PROTO=1
> > > 0.0.0.0:3 80.135.217.223:3 L=56 S=0x00 I=42918 F=0x0000 T=150 (#17)
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Stuff, things, and much much more.
> > http://thinkgeek.com/sf
> > ------------------------------------------------------------------------
> > leaf-user mailing list: [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/leaf-user
> > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
> >
>
>
> -------------------------------------------------
> This mail sent through Tiscali Webmail (http://webmail.tiscali.be)
>
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Stuff, things, and much much more.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
