On Fri, Apr 04, 2003 at 07:43:02PM -0500, Chris H. wrote: > Hi there, > Recently I have notice some strange logs on my > ipfilter firewall. And I am not quite sure what does > it mean. > hopefully someone can shade a light... > > in addition, > 1) is this a pattern of so call "source routing"? > > thanks all, > > here is the log ,,,, > Mar 30 17:28:09 gateway ipmon[87]: 17:28:08.298326 sf0 > @0:6 b 80.129.109.79 -> my.ext.ip.addr PR icmp len 20 > 56 icmp unreach/host for my.ext.ip.addr,25092 - > 192.168.2.9,4665 PR udp len 20 8724 IN
This is a packet sent from 80.129.109.79 (probably a router) back to your firewall. It is an ICMP Host Unreachable message, sent in response to a packet that was sent out from your firewall IP to 192.168.2.9. If you are absolutely positive no such packet was originally sent from your firewall (or from a host behind it, if you are using NAT) then it could be due to someone sending out spoofed-source packets using your firewall IP in order to create a reflected packet flood. However, unless you are seeing massive quantities of these, that is probably unlikely. -c
