Hello Cedric, salut, thanks for your reply, digestified list too, > > [SRC=80.5.144.39 DST=200.179.192.14 LEN=40 TOS=0x00 PREC=0x00 TTL=1 > > ID=12701 PROTO=TCP INCOMPLETE [8 bytes] ] > > This is original packet citation so your kernel can associate the error > to the right sent IP packet. thanks, its ICMP repeat quoting, that explains the second SRC, > > DST=80.5.144.39 > Destination : probably you :) yes, but probably not! ... I didnt do a traceroute (until after!) I am a workstation, on NTL cable modem, with mediocre security, and reasonable iptables. I drop most un-established incoming things (a reply is too easy), allow all out (for now), and limit messages (so possibly miss some details). I have a test 192.168. NAT laptop, but I didnt initiate this message. Hacked? If someone else injected the original packet, or the reply, why? Maybe it goes through their router? (unlikely) Maybe they want to create junk noise (wastes our time) Maybe they are debugging their code (whatever) Maybe I have an alien/virus (how would I know) Anyhow, I just wanted to let you know, in-case such things interest you ;-) I dont think there's much I can do, other than tighten up out-bound. > > TTL=247 > Type 11, code 0 is TTL exceeded in transit. > http://logi.cc/linux/NetfilterLogAnalyzer.php3 regards -- Graham
