Re: [leaf-user] Anybody know what happened to:
Kim: Good point. If there was a machine on the LAN that was trying to ping (or otherwise connect with) 0.0.0.0, it could generate this sort of response. But...hmmm...would the destination unreachable reply be said to come *from* 0.0.0.0? I would think it would be from my ISP's routers. Or, possibly, these ICMP messages always come from a broadcast address, where the source IP is the address that's unreachable (eg, 80.135.217.223). I should Google for how these ICMP messages are put together, and update fwlog.pl accordingly. -Scott On Tue, 9 Jul 2002 [EMAIL PROTECTED] wrote: Aanhalen Scott C. Best [EMAIL PROTECTED]: Just gambling here but couldn't a packet coming from the inside with an echo request or (probably any data destined for 0.0.0.0) provoke this kind off response? A capture of network traffic should help you out if that is the case. Kim Oppalfens PS: These are some strange logs you're seeing. :) I believe they're getting logged because of the 0.0.0.0 return IP address that the packets say they are from. That IP address was historically used for broadcasts, but is now much more likely a sign of trouble. A lot of firewall rulesets block traffic from that IP address straight away. PPS: The message that it's sending in this log is an ICMP error message Destination Unreachable. My hunch is that your LEAF box is on a cable-modem environment, and someone in your neighborhood is experiment with a rather sloppy and noisy DOS attack. You may want to send this logfile to your ISP's abuse email. Message: 1 Date: Sun, 07 Jul 2002 02:27:08 -0700 From: Michael McClure [EMAIL PROTECTED] To: Leaf Mailing List [EMAIL PROTECTED] Subject: [leaf-user] Anybody know what happened to: http://www.echogent.com/cgi-bin/fwlog.pl Its not there anymore Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.135.217.223:3 L=56 S=0x00 I=42918 F=0x T=150 (#17) --- This sf.net email is sponsored by:ThinkGeek Stuff, things, and much much more. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html - This mail sent through Tiscali Webmail (http://webmail.tiscali.be) --- This sf.net email is sponsored by:ThinkGeek Stuff, things, and much much more. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Anybody know what happened to:
Michael: Heya. Sorry about that. Paraphrasing a famous beagle, a ScriptAlias bug in your httpd.conf always appears when you're in the shower on vacation. :) Service is up again. Sorry for the delays... -Scott PS: These are some strange logs you're seeing. :) I believe they're getting logged because of the 0.0.0.0 return IP address that the packets say they are from. That IP address was historically used for broadcasts, but is now much more likely a sign of trouble. A lot of firewall rulesets block traffic from that IP address straight away. PPS: The message that it's sending in this log is an ICMP error message Destination Unreachable. My hunch is that your LEAF box is on a cable-modem environment, and someone in your neighborhood is experiment with a rather sloppy and noisy DOS attack. You may want to send this logfile to your ISP's abuse email. Message: 1 Date: Sun, 07 Jul 2002 02:27:08 -0700 From: Michael McClure [EMAIL PROTECTED] To: Leaf Mailing List [EMAIL PROTECTED] Subject: [leaf-user] Anybody know what happened to: http://www.echogent.com/cgi-bin/fwlog.pl Its not there anymore Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.135.217.223:3 L=56 S=0x00 I=42918 F=0x T=150 (#17) --- This sf.net email is sponsored by:ThinkGeek Stuff, things, and much much more. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Anybody know what happened to:
Aanhalen Scott C. Best [EMAIL PROTECTED]: Just gambling here but couldn't a packet coming from the inside with an echo request or (probably any data destined for 0.0.0.0) provoke this kind off response? A capture of network traffic should help you out if that is the case. Kim Oppalfens PS: These are some strange logs you're seeing. :) I believe they're getting logged because of the 0.0.0.0 return IP address that the packets say they are from. That IP address was historically used for broadcasts, but is now much more likely a sign of trouble. A lot of firewall rulesets block traffic from that IP address straight away. PPS: The message that it's sending in this log is an ICMP error message Destination Unreachable. My hunch is that your LEAF box is on a cable-modem environment, and someone in your neighborhood is experiment with a rather sloppy and noisy DOS attack. You may want to send this logfile to your ISP's abuse email. Message: 1 Date: Sun, 07 Jul 2002 02:27:08 -0700 From: Michael McClure [EMAIL PROTECTED] To: Leaf Mailing List [EMAIL PROTECTED] Subject: [leaf-user] Anybody know what happened to: http://www.echogent.com/cgi-bin/fwlog.pl Its not there anymore Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.135.217.223:3 L=56 S=0x00 I=42918 F=0x T=150 (#17) --- This sf.net email is sponsored by:ThinkGeek Stuff, things, and much much more. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html - This mail sent through Tiscali Webmail (http://webmail.tiscali.be) --- This sf.net email is sponsored by:ThinkGeek Stuff, things, and much much more. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Anybody know what happened to:
In the meantime, I have *a bunch* of this: Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.135.217.223:3 L=56 S=0x00 I=42918 F=0x T=150 (#17) Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.14.16.161:3 L=56 S=0x00 I=62745 F=0x T=150 (#17) Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.136.236.230:3 L=56 S=0x00 I=61390 F=0x T=150 (#17) Jul 7 03:04:01 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 211.243.227.2:3 L=56 S=0x00 I=25947 F=0x T=150 (#17) They are coming from everywhere -- should I be concerned? What is this? thanks. mike. Michael McClure wrote: http://www.echogent.com/cgi-bin/fwlog.pl Its not there anymore --- This sf.net email is sponsored by:ThinkGeek We have stuff for geeks like you. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek We have stuff for geeks like you. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Anybody know what happened to:
On Sun, 2002-07-07 at 02:27, Michael McClure wrote: http://www.echogent.com/cgi-bin/fwlog.pl Its not there anymore Michael, This may be temporary. I'll contact Scott for clarification of the situation. Thanks for letting me know this resource is unavailable at this time. -- Mike Noyes [EMAIL PROTECTED] http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ --- This sf.net email is sponsored by:ThinkGeek We have stuff for geeks like you. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Anybody know what happened to:
Michael McClure wrote: In the meantime, I have *a bunch* of this: Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.135.217.223:3 L=56 S=0x00 I=42918 F=0x T=150 (#17) Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.14.16.161:3 L=56 S=0x00 I=62745 F=0x T=150 (#17) Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.136.236.230:3 L=56 S=0x00 I=61390 F=0x T=150 (#17) Jul 7 03:04:01 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 211.243.227.2:3 L=56 S=0x00 I=25947 F=0x T=150 (#17) They are coming from everywhere -- should I be concerned? What is this? www.iana.org is your friend ; Well, according to http://www.iana.org/assignments/protocol-numbers, protocol 1 is icmp. Here: http://www.iana.org/assignments/icmp-parameters we see that icmp type 3 is ``Destination Unreachable ... [RFC792]''. Which firewall are you using? When you say, ``They are coming from everywhere ...'', what do you mean? The source in all that you've posted is 0.0.0.0, whereas the destination varies. Tell us what is your ip address/network numbers, and we may better analyze your situation. What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --- This sf.net email is sponsored by:ThinkGeek We have stuff for geeks like you. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Anybody know what happened to:
At 05:56 AM 7/7/02 -0700, Mike Noyes wrote: On Sun, 2002-07-07 at 02:27, Michael McClure wrote: http://www.echogent.com/cgi-bin/fwlog.pl Its not there anymore Michael, This may be temporary. I'll contact Scott for clarification of the situation. Thanks for letting me know this resource is unavailable at this time. I took a quick look and yes, I do believe the loss is temporary. Someone revised this host's (apache) srm.conf a few weeks ago and changed the directory that the cgi-bin ScriptAlias handler points to. I imagine the intent was to make a new feature work (there is stuff in the new directory), but a side effect was to disable the fwlog.pl service (and perhaps other services as well). I only have user-level access to this host, so I can't fix the problem. Anyway, I wouldn't want to, since in doing so I might break something else. But once Scott returns from vacation (sometime this coming week), he should be able to restore the service in a few minutes. Until then, folks will need to be patient. -- ---Never tell me the odds!-- Ray Olszewski-- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This sf.net email is sponsored by:ThinkGeek We have stuff for geeks like you. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Anybody know what happened to:
Oh -- I guess I read it backwardsthat's why I needed the firewall tool! ;-) I guess I should've said they are coming from I don't know where and going to everywhere (ie there are tons of different addresses). I'm using straight Eigerstein no firewall addins, and my IP is dhcp from the ISP, but begins in 66.235.3.x cause it changes, and my mask is 255.255.252.0 thanks for your help. mike. Michael D. Schleif wrote: Michael McClure wrote: In the meantime, I have *a bunch* of this: Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.135.217.223:3 L=56 S=0x00 I=42918 F=0x T=150 (#17) Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.14.16.161:3 L=56 S=0x00 I=62745 F=0x T=150 (#17) Jul 7 03:04:00 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 80.136.236.230:3 L=56 S=0x00 I=61390 F=0x T=150 (#17) Jul 7 03:04:01 mikerouter kernel: Packet log: input DENY eth0 PROTO=1 0.0.0.0:3 211.243.227.2:3 L=56 S=0x00 I=25947 F=0x T=150 (#17) They are coming from everywhere -- should I be concerned? What is this? www.iana.org is your friend ; Well, according to http://www.iana.org/assignments/protocol-numbers, protocol 1 is icmp. Here: http://www.iana.org/assignments/icmp-parameters we see that icmp type 3 is ``Destination Unreachable ... [RFC792]''. Which firewall are you using? When you say, ``They are coming from everywhere ...'', what do you mean? The source in all that you've posted is 0.0.0.0, whereas the destination varies. Tell us what is your ip address/network numbers, and we may better analyze your situation. What do you think? --- This sf.net email is sponsored by:ThinkGeek We have stuff for geeks like you. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Anybody know what happened to:
On Sun, 2002-07-07 at 11:54, Ray Olszewski wrote: At 05:56 AM 7/7/02 -0700, Mike Noyes wrote: On Sun, 2002-07-07 at 02:27, Michael McClure wrote: http://www.echogent.com/cgi-bin/fwlog.pl Its not there anymore Michael, This may be temporary. I'll contact Scott for clarification of the situation. Thanks for letting me know this resource is unavailable at this time. I took a quick look and yes, I do believe the loss is temporary. Someone revised this host's (apache) srm.conf a few weeks ago and changed the directory that the cgi-bin ScriptAlias handler points to. I imagine the intent was to make a new feature work (there is stuff in the new directory), but a side effect was to disable the fwlog.pl service (and perhaps other services as well). I only have user-level access to this host, so I can't fix the problem. Anyway, I wouldn't want to, since in doing so I might break something else. But once Scott returns from vacation (sometime this coming week), he should be able to restore the service in a few minutes. Until then, folks will need to be patient. If someone wants to send me the file I'll hst it on monkeynoodle -- Jack Coates Monkeynoodle: A Scientific Venture... --- This sf.net email is sponsored by:ThinkGeek We have stuff for geeks like you. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html