On Fri, Apr 26, 2002 at 01:25:20PM -0700, Stewart Thompson wrote: > Hi All: > > In reviewing my Firewall Logs, I see lots of IGMP dropped packets. > These are from recognized servers from my ISP, Name Servers etc. I have > been seeing lots of bad things about ICMP packets, and they seem to be > related. Does anyone have any comment regarding security risks associated > with IGMP packets? Any suggested rules? > > Stu........... > > > Here is a sample log entry for the above: > > What is 224.0.0.1 ?
All Systems on this Subnet [RFC1112,JBP] > > Apr 26 11:59:53 woodstock kernel: FW: IN=eth0 OUT= MAC= XX.XX.XX.XX.XX.XX > SRC=ISPDEFAULTGATEWAY DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 > ID=25148 PROTO=2 This is some kind of group management dialog. Now the question is what is it that your ISP's router is announcing? It could be IGMPv2 querying the subnet for members. If you don't want to use multicast then I'd suggest you to drop 224/4. > > Also this one is weird. I don?t have a computer at IP 192.168.2.44: > > Apr 26 12:11:43 woodstock kernel: FW: IN= OUT=eth1 SRC=EXTIP > DST=192.168.2.44 LEN=251 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 > DPT=138 LEN=231 This one is a mirosoft thing (netbios-dgm 138/udp). Are you running samba? Ramin > > > Eth0=External Interface > Eth1=Internal Interface >
