Re: [leaf-user] What's this guy trying?
port 1433.. isn't that Citrix or more specifically the ICA protocol. Or was it VNC... joey On Mon, 14 Oct 2002 23:29:42 +0200 Jon Clausen <[EMAIL PROTECTED]> wrote: > Logged into a remote Dachstein box to check up on > something else, and I > see huge amounts of denied packets in > /var/log/messages... > > Connection attempts from f.x: > > 10.131.224.1:3 -> 62.243.222.62:1 > ^^unknown^^ ^^my remote^^ > > I see a bunch of these from different IPs (that is, from > port 3 to port > 1)... dunno what to make of that, but then there's this > guy: > > # grep 65.82.107.120 $_ | nl > 1 Oct 14 15:05:56 skilderhus kernel: Packet log: > input DENY eth0 > PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 > I=5685 F=0x T=45 > (#2) > > > ... > >164 Oct 14 15:06:07 skilderhus kernel: Packet log: > input DENY eth0 > PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 > I=5866 F=0x T=45 > (#2) > > is this some kind of DoS? Am I under attack, or is it > just some > misconfigured box? > > I nmapped the IP, and the only thing that came up was: > Port State Service > 1433/tcp openms-sql-s > > -so I'm guessing it's a zombie windows host... (?) > > TIA > > Jon Clausen > > > --- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: > http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
See below.
At 11:29 PM 10/14/02 +0200, Jon Clausen wrote:
>Logged into a remote Dachstein box to check up on something else, and I
>see huge amounts of denied packets in /var/log/messages...
>
>Connection attempts from f.x:
>
>10.131.224.1:3 -> 62.243.222.62:1
>^^unknown^^ ^^my remote^^
>
>I see a bunch of these from different IPs (that is, from port 3 to port
>1)... dunno what to make of that,
Me either. Please provide the full line for the blocked packet (as you did
with the second example, below), not an uninterpretable fragment. This
*could* just be icmp type 3, message 1 ("host unreachable"). Or it could be
something else, since you don't tell us (for example) what the PROTO= value
is..
>but then there's this guy:
>
># grep 65.82.107.120 $_ | nl
> 1 Oct 14 15:05:56 skilderhus kernel: Packet log: input DENY eth0
>PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5685 F=0x T=45
>(#2)
>
>
>...
>
>164 Oct 14 15:06:07 skilderhus kernel: Packet log: input DENY eth0
>PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5866 F=0x T=45
>(#2)
>
>is this some kind of DoS? Am I under attack, or is it just some
>misconfigured box?
Probably none of the above. PROTO=1 means icmp, and "port" 5 (it's really a
message type, not a port, when icmp is involved) means it is an icmp
redirect packet. The packet should be telling you that this host is not the
preferred route to some destination. Whether this means a problem with
your routing table or someone else's is unknowable from the information you
have provided.
>I nmapped the IP, and the only thing that came up was:
>Port State Service
>1433/tcp openms-sql-s
>
>-so I'm guessing it's a zombie windows host... (?)
--
---"Never tell me the odds!"
Ray Olszewski -- Han Solo
Palo Alto, California, USA[EMAIL PROTECTED]
---
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
on 10/14/02 3:09 PM, [EMAIL PROTECTED] at [EMAIL PROTECTED] wrote: > port 1433.. isn't that Citrix or more specifically the ICA > protocol. Or was it VNC... > > joey Not Citrix: that's 1494... Dale Mirenda > > > On Mon, 14 Oct 2002 23:29:42 +0200 > Jon Clausen <[EMAIL PROTECTED]> wrote: >> Logged into a remote Dachstein box to check up on >> something else, and I >> see huge amounts of denied packets in >> /var/log/messages... >> >> Connection attempts from f.x: >> >> 10.131.224.1:3 -> 62.243.222.62:1 >> ^^unknown^^ ^^my remote^^ >> >> I see a bunch of these from different IPs (that is, from >> port 3 to port >> 1)... dunno what to make of that, but then there's this >> guy: >> >> # grep 65.82.107.120 $_ | nl >> 1 Oct 14 15:05:56 skilderhus kernel: Packet log: >> input DENY eth0 >> PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 >> I=5685 F=0x T=45 >> (#2) >> >> >> ... >> >> 164 Oct 14 15:06:07 skilderhus kernel: Packet log: >> input DENY eth0 >> PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 >> I=5866 F=0x T=45 >> (#2) >> >> is this some kind of DoS? Am I under attack, or is it >> just some >> misconfigured box? >> >> I nmapped the IP, and the only thing that came up was: >> Port State Service >> 1433/tcp openms-sql-s >> >> -so I'm guessing it's a zombie windows host... (?) >> >> TIA >> >> Jon Clausen >> >> >> --- >> This sf.net email is sponsored by:ThinkGeek >> Welcome to geek heaven. >> http://thinkgeek.com/sf >> > >> leaf-user mailing list: [EMAIL PROTECTED] >> https://lists.sourceforge.net/lists/listinfo/leaf-user >> SR FAQ: >> > http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > > --- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] What's this guy trying?
Microsoft SQL server listens on that port (1433)...there's a worm going around that is looking for unprotected SQL server hosts. Hopefully this doesn't wrap: http://securityresponse.symantec.com/avcenter/venc/data/digispid.b.worm.html Hope that helps Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 14, 2002 6:09 PM To: Jon Clausen; [EMAIL PROTECTED] Subject: Re: [leaf-user] What's this guy trying? port 1433.. isn't that Citrix or more specifically the ICA protocol. Or was it VNC... joey On Mon, 14 Oct 2002 23:29:42 +0200 Jon Clausen <[EMAIL PROTECTED]> wrote: > Logged into a remote Dachstein box to check up on > something else, and I > see huge amounts of denied packets in > /var/log/messages... > > Connection attempts from f.x: > > 10.131.224.1:3 -> 62.243.222.62:1 > ^^unknown^^ ^^my remote^^ > > I see a bunch of these from different IPs (that is, from > port 3 to port > 1)... dunno what to make of that, but then there's this > guy: > > # grep 65.82.107.120 $_ | nl > 1 Oct 14 15:05:56 skilderhus kernel: Packet log: > input DENY eth0 > PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 > I=5685 F=0x T=45 > (#2) > > > ... > >164 Oct 14 15:06:07 skilderhus kernel: Packet log: > input DENY eth0 > PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 > I=5866 F=0x T=45 > (#2) > > is this some kind of DoS? Am I under attack, or is it > just some > misconfigured box? > > I nmapped the IP, and the only thing that came up was: > Port State Service > 1433/tcp openms-sql-s > > -so I'm guessing it's a zombie windows host... (?) > > TIA > > Jon Clausen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
On Mon, Oct 14, 2002 at 03:16:57PM -0700, Ray Olszewski wrote:
> >1)... dunno what to make of that,
>
> Me either. Please provide the full line for the blocked packet (as you did
> with the second example, below), not an uninterpretable fragment. This
> *could* just be icmp type 3, message 1 ("host unreachable"). Or it could be
> something else, since you don't tell us (for example) what the PROTO= value
> is..
O.K. full log entry:
Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1
10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x T=243 (#9)
As I said, there are a bunch of this kind of entries, all
PROTO=1 :3 62.243.222.62:1 L=56 S=0x00 I varying T varying (#
varying)
It starts at 11:36:39 continues through the day to 21:11:20
The Dachstein box has a LAN and a DMZ, with a web/mail/dns/ftp server,
behind it. None of the IPs logged show in the server's logs.
I don't usually see this much activity in the firwall's logs.
> >but then there's this guy:
> >
> >is this some kind of DoS? Am I under attack, or is it just some
> >misconfigured box?
>
> Probably none of the above. PROTO=1 means icmp, and "port" 5 (it's really a
> message type, not a port, when icmp is involved) means it is an icmp
> redirect packet. The packet should be telling you that this host is not the
> preferred route to some destination. Whether this means a problem with
> your routing table or someone else's is unknowable from the information you
> have provided.
I don't think there's a problem with my box's routing table, meaning
that the clients on the lan have no problems connecting to the net or
the dmz/server. Also there are no problems connecting to the server from
'outside'... It's been running with the current config for months.
TIA
Jon Clausen
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
At 07:24 AM 10/15/02 +0200, Jon Clausen wrote:
>On Mon, Oct 14, 2002 at 03:16:57PM -0700, Ray Olszewski wrote:
>
> > >1)... dunno what to make of that,
> >
> > Me either. Please provide the full line for the blocked packet (as you did
> > with the second example, below), not an uninterpretable fragment. This
> > *could* just be icmp type 3, message 1 ("host unreachable"). Or it
> could be
> > something else, since you don't tell us (for example) what the PROTO=
> value
> > is..
>
>O.K. full log entry:
>Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1
>10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x T=243 (#9)
OK. It's what I guessed above ... an icmp "host unreachable" message.
There's probably a secret decoder ring for this stuff online somewhere, but
I use a book. Here's the pieces:
PROTO=1 protocol 1 is icmp
10.131.224.1:3 10.131.224.1 is the source IP, of course;
the "port" is the icmp message type, 3=Destination
unreachable
62.243.222.62:1 62.243.222.62 is the destination IP, as usual;
the "port" is the icmp message code, 1=host
unreachable
Without seeing the content of the packet (which does not get logged), we
have no way to know what host this is about. If there is some IP address
(or block of them) you are having trouble reaching, this may be why. Or,
since the source address is a private address, it may be that someone has
his internal network misconfigured in a somewhat bizarre fashion, and you
are getting icmp packets that are replying to someone else's connection
attempts. Or (let's be paranoid for a moment) someone else is spoofing your
external IP address as the source of some packets, and you are getting the
replies.
>As I said, there are a bunch of this kind of entries, all
>PROTO=1 :3 62.243.222.62:1 L=56 S=0x00 I varying T varying (#
>varying)
>
>It starts at 11:36:39 continues through the day to 21:11:20
Are the various "" entries all private addresses like subnet 10,
or are some of them from real (public) IP addresses? If the second, what
are some of the sources?
>The Dachstein box has a LAN and a DMZ, with a web/mail/dns/ftp server,
>behind it. None of the IPs logged show in the server's logs.
>
>I don't usually see this much activity in the firwall's logs.
>
> > >but then there's this guy:
> > >
> > >is this some kind of DoS? Am I under attack, or is it just some
> > >misconfigured box?
> >
> > Probably none of the above. PROTO=1 means icmp, and "port" 5 (it's
> really a
> > message type, not a port, when icmp is involved) means it is an icmp
> > redirect packet. The packet should be telling you that this host is not
> the
> > preferred route to some destination. Whether this means a problem with
> > your routing table or someone else's is unknowable from the information
> you
> > have provided.
>
>I don't think there's a problem with my box's routing table, meaning
>that the clients on the lan have no problems connecting to the net or
>the dmz/server. Also there are no problems connecting to the server from
>'outside'... It's been running with the current config for months.
I'm not sure, but I think that if your end ignores the redirects, the other
end will still route for you ... they are a suggestion, not an order. So
you can, probably, safely disregard these messages.
--
---"Never tell me the odds!"
Ray Olszewski -- Han Solo
Palo Alto, California, USA[EMAIL PROTECTED]
---
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
On Tue, 2002-10-15 at 08:15, Ray Olszewski wrote:
> At 07:24 AM 10/15/02 +0200, Jon Clausen wrote:
> >On Mon, Oct 14, 2002 at 03:16:57PM -0700, Ray Olszewski wrote:
> >
> > > >1)... dunno what to make of that,
> > >
> > > Me either. Please provide the full line for the blocked packet (as you did
> > > with the second example, below), not an uninterpretable fragment. This
> > > *could* just be icmp type 3, message 1 ("host unreachable"). Or it
> > could be
> > > something else, since you don't tell us (for example) what the PROTO=
> > value
> > > is..
> >
> >O.K. full log entry:
> >Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1
> >10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x T=243 (#9)
>
> OK. It's what I guessed above ... an icmp "host unreachable" message.
> There's probably a secret decoder ring for this stuff online somewhere, but
> I use a book. Here's the pieces:
>
> PROTO=1 protocol 1 is icmp
> 10.131.224.1:3 10.131.224.1 is the source IP, of course;
> the "port" is the icmp message type, 3=Destination
> unreachable
> 62.243.222.62:1 62.243.222.62 is the destination IP, as usual;
> the "port" is the icmp message code, 1=host
> unreachable
>
> Without seeing the content of the packet (which does not get logged), we
> have no way to know what host this is about. If there is some IP address
> (or block of them) you are having trouble reaching, this may be why. Or,
> since the source address is a private address, it may be that someone has
> his internal network misconfigured in a somewhat bizarre fashion, and you
> are getting icmp packets that are replying to someone else's connection
> attempts. Or (let's be paranoid for a moment) someone else is spoofing your
> external IP address as the source of some packets, and you are getting the
> replies.
Or worse, a system on you'r lan is infected with the ms-sql worm and
trying to propagate by scanning other hosts, of witch most is
unreachable, and you get a lot of error message naturally.
or hopefully im way off :)
mvh
Ronny Aasen
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
Take a look at www.sans.org There is a blurb about ms sql servers that might be relevant. >>>RWT Dale Mirenda wrote: > on 10/14/02 3:09 PM, [EMAIL PROTECTED] at > [EMAIL PROTECTED] wrote: > > >>port 1433.. isn't that Citrix or more specifically the ICA >>protocol. Or was it VNC... >> >>joey >> > > Not Citrix: that's 1494... > > Dale Mirenda > > >> >>On Mon, 14 Oct 2002 23:29:42 +0200 >>Jon Clausen <[EMAIL PROTECTED]> wrote: >> >>>Logged into a remote Dachstein box to check up on >>>something else, and I >>>see huge amounts of denied packets in >>>/var/log/messages... >>> >>>Connection attempts from f.x: >>> >>>10.131.224.1:3 -> 62.243.222.62:1 >>>^^unknown^^ ^^my remote^^ >>> >>>I see a bunch of these from different IPs (that is, from >>>port 3 to port >>>1)... dunno what to make of that, but then there's this >>>guy: >>> >>># grep 65.82.107.120 $_ | nl >>>1 Oct 14 15:05:56 skilderhus kernel: Packet log: >>>input DENY eth0 >>>PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 >>>I=5685 F=0x T=45 >>>(#2) >>> >>> >>>... >>> >>>164 Oct 14 15:06:07 skilderhus kernel: Packet log: >>>input DENY eth0 >>>PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 >>>I=5866 F=0x T=45 >>>(#2) >>> >>>is this some kind of DoS? Am I under attack, or is it >>>just some >>>misconfigured box? >>> >>>I nmapped the IP, and the only thing that came up was: >>>Port State Service >>>1433/tcp openms-sql-s >>> >>>-so I'm guessing it's a zombie windows host... (?) >>> >>>TIA >>> >>>Jon Clausen >>> >>> >>>--- >>>This sf.net email is sponsored by:ThinkGeek >>>Welcome to geek heaven. >>>http://thinkgeek.com/sf >>> >>> >> >> >>>leaf-user mailing list: [EMAIL PROTECTED] >>>https://lists.sourceforge.net/lists/listinfo/leaf-user >>>SR FAQ: >>> >>> >>http://leaf-project.org/pub/doc/docmanager/docid_1891.html >> >> >> >>--- >>This sf.net email is sponsored by:ThinkGeek >>Welcome to geek heaven. >>http://thinkgeek.com/sf >> >>leaf-user mailing list: [EMAIL PROTECTED] >>https://lists.sourceforge.net/lists/listinfo/leaf-user >>SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html >> >> > > > > > > > --- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
On Mon, Oct 14, 2002 at 11:15:11PM -0700, Ray Olszewski wrote: > >O.K. full log entry: > >Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 > >10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x T=243 (#9) > > OK. It's what I guessed above ... an icmp "host unreachable" message. > There's probably a secret decoder ring for this stuff online somewhere, but > I use a book. Wow! A *book*... cool ;) > Here's the pieces: > > PROTO=1 protocol 1 is icmp > 10.131.224.1:3 10.131.224.1 is the source IP, of course; > the "port" is the icmp message type, 3=Destination > unreachable > 62.243.222.62:1 62.243.222.62 is the destination IP, as usual; > the "port" is the icmp message code, 1=host > unreachable Right. Gotta look up an icmp code 'translation' guide... any good links anyone? > Without seeing the content of the packet (which does not get logged), we > have no way to know what host this is about. If there is some IP address > (or block of them) you are having trouble reaching, this may be why. No trouble connecting, not to my knowledge anyway. I'm not on that lan, and really only have anything to do with the server and the dach box... > Or, > since the source address is a private address, it may be that someone has > his internal network misconfigured in a somewhat bizarre fashion, and you > are getting icmp packets that are replying to someone else's connection > attempts. Or (let's be paranoid for a moment) someone else is spoofing your > external IP address as the source of some packets, and you are getting the > replies. Hmmm... grep PROTO=1 messages gives a sh*tload of lines. Every one is "input DENY eth0", that is, coming from the outside. I know (from the httpd-logs on the server) that the 'neighborhood' 62.243.222 is positively swamped with infected windows servers. > Are the various "" entries all private addresses like subnet 10, > or are some of them from real (public) IP addresses? If the second, what > are some of the sources? I've put a sorted/uniq'ed list of yesterday's and today's instances at the bottom, but yeah they all look pretty private, with the exception of the 65.82.107.120 (and maybe some of the 172...s ?) > >The Dachstein box has a LAN and a DMZ, with a web/mail/dns/ftp server, > >behind it. None of the IPs logged show in the server's logs. Perhaps a little more info should go here: lan: 192.168.0.0/24 dmz: 10.0.1.0/24 AFAIK nobody on the lan runs anything other than 'regular' (couple linux, mostly w$) hosts. The server in the dmz is SuSE 7.3 > >> Probably none of the above. PROTO=1 means icmp, and "port" 5 (it's > >really a > >> message type, not a port, when icmp is involved) means it is an icmp > >> redirect packet. The packet should be telling you that this host is not > >the > >> preferred route to some destination. Whether this means a problem with > >> your routing table or someone else's is unknowable from the information > >you > >> have provided. > > > >I don't think there's a problem with my box's routing table, meaning > >that the clients on the lan have no problems connecting to the net or > >the dmz/server. Also there are no problems connecting to the server from > >'outside'... It's been running with the current config for months. > > I'm not sure, but I think that if your end ignores the redirects, the other > end will still route for you ... they are a suggestion, not an order. So > you can, probably, safely disregard these messages. Hmmm... The only one that knows anything (about computers anyway) on the lan, is on vacation ATM. I should prolly ask him whether everything's o.k. when he gets back... Thanks for the info/effort. Jon Clausen Today's harvest: 10.1.0.1 10.1.1.22 10.114.128.1 10.130.128.1*) 10.134.224.1 10.2.128.1 *) 10.217.192.1*) 10.219.224.1 10.25.116.1 10.46.60.1 10.59.224.1 10.62.52.1 10.62.60.1 10.68.0.1 10.80.128.1 192.168.120.4 192.168.246.142 192.168.9.202 Yesterday's: 10.130.128.1*) 10.131.224.1 10.133.52.1 10.2.128.1 *) 10.217.192.1*) 10.22.28.1 10.3.32.1 10.52.72.1 10.52.96.1 10.58.144.1 10.75.16.1 172.16.11.1 172.16.193.1 172.17.82.106 172.22.32.3 172.26.49.9 192.168.129.3 192.168.147.98 192.168.246.54 192.168.247.110 192.168.247.158 192.168.247.22 192.168.9.193 65.82.107.120 *) present both today and yesterday --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
Jon Clausen wrote: ... > Right. Gotta look up an icmp code 'translation' guide... any good links > anyone? http://www.robertgraham.com/pubs/firewall-seen.html#2 Cheers, -- Patrick Benson Stockholm, Sweden --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
