First, they are not Ethernet addresses; they are IP addresses, written in hex. Here's the secret decoder ring (this seems to resurface every 6 months or so, BTW):
C0C809BF becomes C0 C8 09 BF becomes 192.200.009.191 With this as a template, you should be able to translate the other two for yourself. With no real info about your LAN setup (especially, what host, if any, uses IP address 192.200.9.50) or the routing table on boswell, I can't offer any good guesses as to why you are getting redirects. Other discussion currently on this list seems to reflect the suspicion that they are associated with a MS-SQL exploit of some sort (does your OSX server run MS-SQL, perchance? does a Mac-OSX version of MS-SQL even exist?), but I've not seen it myself, nor have I seen any clear explanation of why this exploit might be using icmp redirects (they *can* be used for man-in-the-middle attacks by changing the routing of packets from routers that are willing to act on them, but the one example we've actually seen of an icmp packet from a server known to be running MS-SQL was destination unreachable, not redirect). Some other things to consider are ... though you say "no firewall rules, etc.", I infer from the "(incorrectly addressed) internal network" comment that the system does NAT the LAN. am I correct in infering that eth0 is your LAN interface? At 04:15 PM 10/15/02 -0500, [EMAIL PROTECTED] wrote: >Hi. I'm running Oxygen here as a dns (dnscache, tinydns) and dhcp server >-- no firewall rules, etc... > >Today we started getting icmp redirect messages from one machine back to >the oxygen machine. I stuck a log command in using ipchains and this is >what I get: > >Oct 15 16:06:19 boswell kernel: Packet log: input ACCEPT eth0 PROTO=1 >192.200.9.191:5 192.200.9.111:1 L=56 S=0x00 I=52446 F=0x0000 T=255 (#1) >Oct 15 16:06:19 boswell kernel: Redirect from C0C809BF/eth0 to C0C80932 >ignored.Path = C0C8096F -> C0C80932, tos 00 > >I understand the icmp redirect, but not the addresses in the second line >(C0C809BF, C0C80932, C0C8096F). These don't look like ethernet addresses. >Can anyone help? > >Also, what would be causing the redirects? > >FYI: > >1. Yes, 192.200.9.0/24 is our (incorrectly addressed) internal network due >to an accident of history. > >2. 192.200.9.191 is a Mac OSX server (the old rhapsody version) machine >running a taxi-dispatching server process. > >3. 192.200.9.111 (boswell) is the Oxygen machine. -- -------------------------------------------"Never tell me the odds!"-------- Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] ------------------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html