I'm guessing that if you look closer you will find that the packet with port 53 is also different in another way -- the protocol will be UDP (possibly TCP, but more likely UDP). This is most likely a slow response from a DNS server.
The ICMP type 5 (ICMP doesn't use ports. The "5" is a service type) packet is an ICMP redirect. The purpose of ICMP type 5 is to cause a router to change its routing tables. It is possible that your gateway router is misconfigured to use EGRP (Exterior Gateway Routing Protocol), causing it to send ICMP redirects when it receives a packet for an unreachable destination, or it is possible that someone is trying to perform a "man in the middle" attach by redirecting you to a different router. The GNAT Box doesn't log the "code" and "gateway address" segments of the ICMP type 5 packet, so tracking down exactly what is happening will take some legwork outside of the GNAT Box (i.e., checking the router configuration, etc.). Some links to more information: http://www.interhack.net/pubs/fwfaq/#SECTION00052000000000000000 http://www.ee.siue.edu/~rwalden/networking/icmpmess.html#redir http://www.robertgraham.com/pubs/firewall-seen.html#2 Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: Reasoner, Bob (PHES) [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 15, 2002 4:31 PM > To: [EMAIL PROTECTED] > Subject: [gb-users] Unusual alarm? > > > I receive an unusual alarm about once or twice a month that appears to > come > from my gateway router and my external dns server. The > following is an > excerpt of the alarm from my Cisco router: > > ALARM NO: 1 > DATE: Tue 2002-01-15 13:59:55 CST > PRIORITY: 4 > INTERFACE: Pro 100 External (fxp0) > INTERFACE TYPE: External > ALARM TYPE: Block > IP PACKET: ICMP > [xxx.xxx.xxx.xxx/5]-->[xxx.xxx.xxx.xxx/5] l=32 f=0x0 > > [phes-inet.hd.co.harris.tx.us/5]-->[ext-212.hd.co.harris.tx.us/5] > > DETAILED DESCRIPTION: > IP packet was rejected by filter 16. > > Filter 16 is the default "Stealth" filter. It is always > pointing at an > alias which in turn points to a range of devices behind my gb-flash. > > The one from my external DNS server is the same with the > exception of it > using port 53 (DNS) translating to some extremely high port number. > > I'm assuming that these are some type of stale packets, but > can't figure > out > what is causing them. > > Any suggestions? > > > Bob Reasoner > Harris County Public Health & Environmental Services >
