[leaf-user] "PROTO=ICMP" messages from my Bering box???

Jordi Besora Mon, 15 Sep 2003 13:30:01 -0700

        Hi everyone!

        I'm seeing some "PROTO=ICMP" messages in my shorwall logs since four or
five days ago, and I wonder what they can be. I have Bering 1.2
connected between my ADSL modem and my internal LAN. The internal
router's IP is 192.168.1.254, and the only computer I have connected to
the network at the moment is 192.168.1.250, runing Mandrake 9.1. The
Bering box i floppy-based and the floppy is write-protected.


        I get lots of this "PROTO=ICMP" from external addresses, but what
worries me, is that it looks like I'm getting these from my Bering box!
Here are the messages I get, as copied from weblet (sorry they lost
formatting).

        From "Current Connections", under "Masqueraded Connections" (only at
the time it happens, then these connections disappear)

icmpsrc=8dst=192.168.1.255dst=src=192.168.1.250type=8 --1 sec. id=4107
[UNREPLIED] src=192.168.1.255 dst=192.168.1.250 type=0 code=0
id=4107use=1

icmpsrc=8dst=192.168.1.0dst=src=192.168.1.250type=8 --1 sec. id=4107
[UNREPLIED] src=192.168.1.0 dst=192.168.1.250 type=0 code=0 id=4107
use=1   

        From "hits sorted by frequency and ip address" under my router's
address "hits caused by 192.168.1.254". It starts at about the time I
booted the router:

Sep 15 19:05:11 darouter Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:f5:c5:00:01:ff:ff:02:01:f5:c5:02:06:ff:ff:13:00:f5:c5:00:01:ff:ff:02:01:f5:c5:10:09:ff:ff:2a:00:f5:c5:00:01:ff:ff:02:01:f5:c5:00:05:ff:ff:05:00:f5:c5:00:01:ff:ff:02:01:f5:c5:10:07:ff:ff:66:00:f5:c5:00:01:ff:ff:02:01:f5:c5:00:06:ff:ff:0a:45:00:00:1c:1e:90:00:00:40:01:d7:08:c0:a8:01:fe:c0:a8:01:fa:00:00:a0:f8:5f:07:00:00:06:ff:ff
 SRC=192.168.1.254 DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64 ID=7824 PROTO=ICMP 
TYPE=0 CODE=0 ID=24327 SEQ=0  
Sep 15 19:05:21 darouter Shorewall:all2all:REJECT: IN= OUT=eth1 MAC=
SRC=192.168.1.254 DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64
ID=36278 PROTO=ICMP TYPE=0 CODE=0 ID=24327 SEQ=0  
Sep 15 19:10:33 darouter Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:20:af:5d:e1:9a:00:20:1a:11:3d:73:08:00 SRC=192.168.1.254
DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64 ID=28710 PROTO=ICMP
TYPE=0 CODE=0 ID=22281 SEQ=0 
Sep 15 19:10:43 darouter Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:20:af:5d:e1:9a:00:20:1a:11:3d:73:08:00 SRC=192.168.1.254
DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64 ID=819 PROTO=ICMP
TYPE=0 CODE=0 ID=22281 SEQ=0 
 Sep 15 19:20:36 darouter Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:20:af:5d:e1:9a:00:20:1a:11:3d:73:08:00 SRC=192.168.1.254
DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64 ID=2744 PROTO=ICMP
TYPE=0 CODE=0 ID=54793 SEQ=0  
Sep 15 19:20:46 darouter Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:20:af:5d:e1:9a:00:20:1a:11:3d:73:08:00 SRC=192.168.1.254
DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64 ID=44529 PROTO=ICMP
TYPE=0 CODE=0 ID=54793 SEQ=0  
Sep 15 19:40:41 darouter Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:20:af:5d:e1:9a:00:20:1a:11:3d:73:08:00 SRC=192.168.1.254
DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64 ID=5934 PROTO=ICMP
TYPE=0 CODE=0 ID=9482 SEQ=0  
Sep 15 19:40:44 darouter Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:20:af:5d:e1:9a:00:20:1a:11:3d:73:08:00 SRC=192.168.1.254
DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64 ID=33894 PROTO=ICMP
TYPE=0 CODE=0 ID=9482 SEQ=0  
Sep 15 20:20:43 darouter Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:20:af:5d:e1:9a:00:20:1a:11:3d:73:08:00 SRC=192.168.1.254
DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64 ID=31960 PROTO=ICMP
TYPE=0 CODE=0 ID=38154 SEQ=0  
Sep 15 20:20:53 darouter Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:20:af:5d:e1:9a:00:20:1a:11:3d:73:08:00 SRC=192.168.1.254
DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64 ID=64183 PROTO=ICMP
TYPE=0 CODE=0 ID=38154 SEQ=0  Sep 15 21:40:46 darouter
Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:20:af:5d:e1:9a:00:20:1a:11:3d:73:08:00 SRC=192.168.1.254
DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64 ID=54824 PROTO=ICMP
TYPE=0 CODE=0 ID=4107 SEQ=0  
Sep 15 21:40:53 darouter Shorewall:all2all:REJECT: IN= OUT=eth1
MAC=00:20:af:5d:e1:9a:00:20:1a:11:3d:73:08:00 SRC=192.168.1.254
DST=192.168.1.250 LEN=28 TOS=00 PREC=0x00 TTL=64 ID=48465 PROTO=ICMP
TYPE=0 CODE=0 ID=4107 SEQ=0

        After this they keep coming every hour and 20 minutes.

        Any ideas? I'm grateful for any directions, pointers, suggestions.


-- 
Jordi Besora <[EMAIL PROTECTED]>



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] "PROTO=ICMP" messages from my Bering box???

Reply via email to