Re: [leaf-user] What's this guy trying?

Mon, 14 Oct 2002 22:00:28 -0700 

On Mon, Oct 14, 2002 at 03:16:57PM -0700, Ray Olszewski wrote:

> >1)... dunno what to make of that,
> 
> Me either. Please provide the full line for the blocked packet (as you did 
> with the second example,  below), not an uninterpretable fragment. This 
> *could* just be icmp type 3, message 1 ("host unreachable"). Or it could be 
> something else, since you don't tell us (for example) what the PROTO= value 
> is..

O.K. full log entry:
Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1
10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x0000 T=243 (#9)

As I said, there are a bunch of this kind of entries, all 
PROTO=1 <some-ip>:3 62.243.222.62:1 L=56 S=0x00 I varying T varying (#
varying)

It starts at 11:36:39 continues through the day to 21:11:20

The Dachstein box has a LAN and a DMZ, with a web/mail/dns/ftp server,
behind it. None of the IPs logged show in the server's logs.

I don't usually see this much activity in the firwall's logs.
 
> >but then there's this guy:
> >
> >is this some kind of DoS? Am I under attack, or is it just some
> >misconfigured box?
> 
> Probably none of the above. PROTO=1 means icmp, and "port" 5 (it's really a 
> message type, not a port, when icmp is involved) means it is an icmp 
> redirect packet. The packet should be telling you that this host is not the 
> preferred  route to some destination. Whether this means a problem with 
> your routing table or someone else's is unknowable from the information you 
> have provided.

I don't think there's a problem with my box's routing table, meaning
that the clients on the lan have no problems connecting to the net or
the dmz/server. Also there are no problems connecting to the server from
'outside'... It's been running with the current config for months.

TIA

Jon Clausen


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to