At 07:24 AM 10/15/02 +0200, Jon Clausen wrote:
>On Mon, Oct 14, 2002 at 03:16:57PM -0700, Ray Olszewski wrote:
>
> > >1)... dunno what to make of that,
> >
> > Me either. Please provide the full line for the blocked packet (as you did
> > with the second example, below), not an uninterpretable fragment. This
> > *could* just be icmp type 3, message 1 ("host unreachable"). Or it
> could be
> > something else, since you don't tell us (for example) what the PROTO=
> value
> > is..
>
>O.K. full log entry:
>Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1
>10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x0000 T=243 (#9)
OK. It's what I guessed above ... an icmp "host unreachable" message.
There's probably a secret decoder ring for this stuff online somewhere, but
I use a book. Here's the pieces:
PROTO=1 protocol 1 is icmp
10.131.224.1:3 10.131.224.1 is the source IP, of course;
the "port" is the icmp message type, 3=Destination
unreachable
62.243.222.62:1 62.243.222.62 is the destination IP, as usual;
the "port" is the icmp message code, 1=host
unreachable
Without seeing the content of the packet (which does not get logged), we
have no way to know what host this is about. If there is some IP address
(or block of them) you are having trouble reaching, this may be why. Or,
since the source address is a private address, it may be that someone has
his internal network misconfigured in a somewhat bizarre fashion, and you
are getting icmp packets that are replying to someone else's connection
attempts. Or (let's be paranoid for a moment) someone else is spoofing your
external IP address as the source of some packets, and you are getting the
replies.
>As I said, there are a bunch of this kind of entries, all
>PROTO=1 <some-ip>:3 62.243.222.62:1 L=56 S=0x00 I varying T varying (#
>varying)
>
>It starts at 11:36:39 continues through the day to 21:11:20
Are the various "<some-ip>" entries all private addresses like subnet 10,
or are some of them from real (public) IP addresses? If the second, what
are some of the sources?
>The Dachstein box has a LAN and a DMZ, with a web/mail/dns/ftp server,
>behind it. None of the IPs logged show in the server's logs.
>
>I don't usually see this much activity in the firwall's logs.
>
> > >but then there's this guy:
> > >
> > >is this some kind of DoS? Am I under attack, or is it just some
> > >misconfigured box?
> >
> > Probably none of the above. PROTO=1 means icmp, and "port" 5 (it's
> really a
> > message type, not a port, when icmp is involved) means it is an icmp
> > redirect packet. The packet should be telling you that this host is not
> the
> > preferred route to some destination. Whether this means a problem with
> > your routing table or someone else's is unknowable from the information
> you
> > have provided.
>
>I don't think there's a problem with my box's routing table, meaning
>that the clients on the lan have no problems connecting to the net or
>the dmz/server. Also there are no problems connecting to the server from
>'outside'... It's been running with the current config for months.
I'm not sure, but I think that if your end ignores the redirects, the other
end will still route for you ... they are a suggestion, not an order. So
you can, probably, safely disregard these messages.
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
