I'm using a Debian woody box (kernel 2.2.17) for a firewall following the "Serious Example" in the ipchains howto (I've previously posted details about this here: http://lists.debian.org/debian-firewall/2001/debian-firewall-200108/msg00004.html).
I'm using kernel 2.2.17. Things have been stable and working well without my having to mess with the setup for months. However, infrequently (once ever month or two) in the past but now more frequently (several times in the past 2 days), traffic through this box will suddenly stop, and I see this in /var/log/messages (the x.y.z.a ip address is the address of the external interface of the firewall box: Nov 14 08:29:22 fwbox -- MARK -- Nov 14 08:38:10 fwbox kernel: Packet log: ext-if DENY lo PROTO=1 x.y.z.a:3 x.y.z.a:1 L=88 S=0xC0 I=144 F=0x0000 T=255 (#1) Nov 14 08:38:10 fwbox kernel: Packet log: ext-if DENY lo PROTO=1 x.y.z.a:3 x.y.z.a:1 L=88 S=0xC0 I=145 F=0x0000 T=255 (#1) Nov 14 08:38:10 fwbox kernel: Packet log: ext-if DENY lo PROTO=1 x.y.z.a:3 x.y.z.a:1 L=88 S=0xC0 I=146 F=0x0000 T=255 (#1) Nov 14 08:38:15 fwbox kernel: Packet log: ext-if DENY lo PROTO=1 x.y.z.a:3 x.y.z.a:1 L=88 S=0xC0 I=147 F=0x0000 T=255 (#1) Nov 14 08:38:22 fwbox kernel: Packet log: ext-if DENY lo PROTO=1 x.y.z.a:3 x.y.z.a:1 L=88 S=0xC0 I=148 F=0x0000 T=255 (#1) Nov 14 08:43:42 fwbox kernel: Packet log: ext-if DENY lo PROTO=1 x.y.z.a:3 x.y.z.a:1 L=100 S=0xD0 I=155 F=0x0000 T=255 (#1) Nov 14 08:43:42 fwbox kernel: Packet log: ext-if DENY lo PROTO=1 x.y.z.a:3 x.y.z.a:1 L=109 S=0xC0 I=156 F=0x0000 T=255 (#1) Nov 14 08:43:42 fwbox kernel: Packet log: ext-if DENY lo PROTO=1 x.y.z.a:3 x.y.z.a:1 L=100 S=0xD0 I=157 F=0x0000 T=255 (#1) ... This stuff ricochets on the loopback lo with a 'destination-unreachable' ICMP packet as the source protocol and an 'unassigned' ICMP packet (type 1) as the destination. -- Is this a smurf attack? -- If so, am I getting hammered from outside? -- Have I been breached and a trojan is trying to launch an attack from my firewall box? -- Or is this something caused by a configuration error on my part? (http://linux.oreillynet.com/lpt/a/linux/2000/03/10/netadmin/ddos.html suggests that logging can itself trigger DOS) This pattern in the log continues until I restart the box Windoze style. Is there a more appropriate way to abort this? As an attempted preventative, I've added to the firewall initialization script to turn on /proc/sys/net/ipv4/icmp_ignore_echo_broadcasts However, this has not eliminated this problem. *MANY THANKS!!* for any help on this! Stan BTW, the relevant part of the ipchains script (for the external interface of the firewall box) is this: # rules for firewall box itself # EXTIF is eth1 # I'm not running DNS here but rather pointing to the ISP's DNS # --allow www (for dselect upgrade of firewall box) # --allow DNS so www will work /sbin/ipchains -A ext-if -i ! $EXTIF -j DENY -l /sbin/ipchains -A ext-if -p TCP --dport www -j ACCEPT /sbin/ipchains -A ext-if -p TCP -s $DNSIP1 domain -j ACCEPT /sbin/ipchains -A ext-if -p UDP -s $DNSIP1 domain -j ACCEPT /sbin/ipchains -A ext-if -p TCP -s $DNSIP2 domain -j ACCEPT /sbin/ipchains -A ext-if -p UDP -s $DNSIP2 domain -j ACCEPT /sbin/ipchains -A ext-if -p TCP --dport 61000:65096 -j ACCEPT /sbin/ipchains -A ext-if -p UDP --dport 61000:65096 -j ACCEPT /sbin/ipchains -A ext-if -p ICMP --icmp-type ping -j ACCEPT /sbin/ipchains -A ext-if -p ICMP --icmp-type pong -j ACCEPT /sbin/ipchains -A ext-if -j icmp-acc /sbin/ipchains -A ext-if -j DENY -l
begin:vcard n:Kaufman;Stan tel;fax:415.681.4954 tel;work:415.505.9465 x-mozilla-html:FALSE url:http://www.epimetrics.com/ org:The Epimetrics Group adr:;;144 Idora Avenue;San Francisco;CA;94127; version:2.1 email;internet:[EMAIL PROTECTED] title:Principal x-mozilla-cpt:;6592 fn:Stan Kaufman end:vcard
