Judging by the logging you provided below, the source address for the ping packet is that of your router itself (192.168.0.1) and not something outside your network. If the packet were coming from an external IP address, ZoneAlarm should note that as the source address, and not 192.168.0.1.
Keep in mind that for outbound packets, the source address (your internal PC at 192.168.0.2) is NAT'd, not the destination address. On the other hand, for inbound packets (which is what we're seeing here), it is the destination address (again, that of your PC) that is NAT'd. Since this is an inbound packet, the router should not do any address translation for the destination field of the packet. If we assume that this is true, then the actual source of the packet is your router, not someone on the Internet. That having been said, is it at all possible that your router has been compromised? Also, are the log entries below neighboring entries in your log or did you just take samples from different points in the log? The entries below show a packet every 12 or 13 hours. Regards, Roy At 09:50 PM 3/14/2002 +0100, cs4l wrote: >Hello Roy, > >Yes, my router sends a request to my PC. > >I didn't change anything to the router, nor to ZoneAlarm. > >My worry is how could someone manage to send an ICMP request trough my >router when it's configured with NAT and the address 192.168.x.x is not >routable? > >Any hint? > >TIA, cs4l > >Thursday, March 14, 2002, 8:55:31 PM, you wrote: > >RK> It would appear that 192.168.0.1 is trying to ping 192.168.0.2. ICMP >type 8 >RK> is an echo request (outbound ping packet). Type 0 is an echo reply (ping >RK> reply). Have you upgraded the software on your router lately? Or possible >RK> an update to ZoneAlarm? Or have you possibly modified the rules on >your PC? > > >RK> At 09:42 PM 3/13/2002 +0100, cs4l wrote: > >>Hello security-basics, > >> > >>I have several PCs with ZoneAlarm behind a netgear R314 cable router. > >> > >>I used to receive no alerts. Since I'm using NAT with several machines > >>on a private network in 192.168.x.x, sharing one single internet > >>address, I thought this was normal. > >> > >>BUT in the last few days, I've started getting alert from ZoneAlarm > >>saying that I get ICMP packets from my router interface 192.168.x.1 > >>FWIN,2002/03/11,08:25:32 +1:00 GMT,192.168.0.1:0,192.168.0.2:0,ICMP > >>(type:8/subtype:0) > >>FWIN,2002/03/11,21:11:29 +1:00 GMT,192.168.0.1:0,192.168.0.2:0,ICMP > >>(type:8/subtype:0) > >>FWIN,2002/03/12,10:35:37 +1:00 GMT,192.168.0.1:0,192.168.0.2:0,ICMP > >>(type:8/subtype:0) > >> > >>How should I interpret this? > >> > >>-- > >>Best regards, > >> cs4l
