On Thu, Aug 22, 2002 at 05:15:24AM +0300, [EMAIL PROTECTED] wrote: > > Hello > > I have a fairly simple firewall on my workstation - I include the main part > of it below. > > I noticed the following in my logs and was wondering if any could help me > understand it. > > Aug 19 01:38:34 candy kernel: rejects !IN=eth0 OUT= > MAC=00:e0:7d:b1:52:bd:00:b0:c2:8d:c7:5a:08:00 SRC=62.179.136.1 > DST=62.71.40.14 LEN=76 TOS=0x00 PREC=0x00 TTL=51 ID=41222 PROTO=ICMP TYPE=3 > CODE=2 [SRC=62.71.40.14 DST=62.179.136.1 LEN=48 TOS=0x00 PREC=0x00 TTL=106 > ID=766 DF PROTO=TCP SPT=3072 DPT=0 WINDOW=0 RES=0x34 URG ACK RST FIN URGP=0 ]
It looks like someone was scanning 62.179.136.1 and spoofed your source address. ICMP error messages, such as this one, include the header information of the packet that triggered the error, which is what you see in the brackets. The fact that it fell through your --state ESTABLISHED,RELATED rule is a pretty good indication that it didn't originate from your computer. I'm sure you'll get stranger packets than that in the future too, I certainly do :) Notice the enclosed packet has a destination port of 0, which is not legal, and some weird TCP flags set (URG ACK RST FIN). This might be an attempt to crash the recipient, or to determine its operating system maybe. See http://www.iss.net/security_center/advice/Exploits/Ports/0/default.htm http://www.iss.net/security_center/advice/ is a very useful site, BTW. Jason
