On Tue, Jul 6, 2010 at 11:06 PM, Steven W. Orr <ste...@syslang.net> wrote: > I have my firewall set to drop any more than three ICMP > packets per minute.
Yes, you're paranoid. > 47185 firewall events but they all came from one macaddr Which would be the router which forwarded the packets to you. > I checked with RCN and they say it's not one of theirs. (1) Maybe it's your router? (2) Most ISP help desks are staffed by idiots, and they often ignore abuse complaints precisely because of people like you. > Jul 6 22:34:08 saturn kernel: [FIAIF_DROP]:IN=eth0 OUT= > MAC=00:13:d4:d1:b7:7c:00:12:44:91:f0:01:08:00 SRC=221.192.199.46 > DST=207.172.210.41 LEN=40 TOS=0x00 PREC=0x00 TTL=105 ID=256 DF PROTO=TCP > SPT=12200 DPT=8085 WINDOW=8192 RES=0x00 SYN URGP=0 That's an attempt to connect to you on TCP port 12200, which Google tells me is used by an anonymizing web proxy. IP address is in Hong Kong. Based on that limited information, I'd guess that particular probe is someone scanning for open proxies to hijack. Now all we need to do is examine the other 47184 events to see what they were! > I can block that macaddr from my firewall, but I can't believe this is as > nefarious as it looks. Quick, block that MAC address! Clearly your router is trying to hack you! > ... some go back to avg.com ... I can call them in the morning... Your trouble report will be marked "IWF", and properly so. Repeat after me: ICMP is not an attack. It's a critical part of the Internet Protocol suite. Dropping ICMP is broken. Ping is but a small subset of ICMP. (Ping isn't an attack, either, but that's another story, for another time.) I know this is a bit harsh, but I've worked with an ISP before, and they get complaints like this all day long. This is the ISP equivalent of "I can't find the 'any key'", except it occurs a lot more often. Also, I haven't had any caffeine yet, so I'm groggy and grumpy. (After caffeine, I'll just be grumpy.) Plus I know Steve's a big boy and can take it. -- Ben _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/