Our firewall rules have the following entries in it $IPCHAINS -A input -s xxx.xx.xxx.x/24 -d $REMOTENET -j DENY -l $IPCHAINS -A input -b -i $OUTERIF -p icmp -s xxx.xx.xxx.x/24 -d $OUTERNET -j DENY -l etc etc etc
Where xxx is the IP of a known hacker here on the Gold Coast, Queensland. (There are actually 6 entries in relation to the IP ranges that they own, they are an ISP as well) but none of these are a match for the IP that is giving us this log entry. This is the first time an entry like this has been made. Is there a particular change you would make to these lines, being relatively new to ipchains any help would be appreciated. Regards Pete -----Original Message----- From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] Sent: Friday, 22 March 2002 11:27 AM To: Jay Kline Cc: Debian Security List Subject: Re: Unusual logging On Thu, Mar 21, 2002 at 06:12:02PM -0600, Jay Kline wrote: > What seems odd to me is the the yyy IP is originating from such a low port > (3) which means the system is most likely not unix or windows (or at least > not standard apps), unless using some specific application. Anyone know of > one that does this? Errm, no, you are missing the fact that PROTO=1. That means it's ICMP traffic. His iptables blocked a Destination Unreachable ICMP message. Those get sent by Unix and non-Unix systems all the time, but typically not by userland stuff. Personally, I would label this a misconfigured firewall. There are others out there who do like to block such messages. I don't see the point. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html ################################################################################ This Communication and any files transmitted with it are intended for the named addressee only, are confidential in nature and may contain legally privileged information. The copying or distribution of this communication or any information it contains, by anyone other than the addressee or the person responsible for delivering this communication to the intended addressee, is prohibited. If you receive this communication in error, please advise us by telephone, and then delete the communication. You will be reimbursed for reasonable costs incurred in notifying us. Before you open or use any attachments first check them for viruses and defects. Our liability is limited to resupplying any affected attachments only. ################################################################################
