On Fri, 2004-09-24 at 11:53, Eric Ellis wrote:
> I'm slightly confused about this log entry that I'm seeing pop up in my
> syslog.
>
> The firewall is 200.21.1.254, on a private net.
>
> Sep 24 11:57:03 firewall kernel: IN=eth0 OUT=
> MAC=00:40:05:3d:51:e9:00:50:3e:ed:28:a0:08:00 SRC=200.175.75.101 DST=200.2
> 1.1.254 LEN=56 TOS=0x00 PREC=0x00 TTL=43 ID=10814 PROTO=ICMP TYPE=3
> CODE=3 [SRC=200.21.1.254 DST=200.175.75.101 LEN=48 T
> OS=0x00 PREC=0x00 TTL=102 ID=2554 DF PROTO=TCP INCOMPLETE [8 bytes] ]
>
>
> it *almost* looks like my box is sending an ICMP query, and getting a
> "port closed" response. The thing that bothers me about this is that I
> don't allow ICMP to talk on the box at all, so I shouldn't be sending
> ICMP, or if the machine tries to, I should be getting it logged, as I'm
> logging all of my drops.
>
> Confused.
it appears as though your firewall (200.21.1.254) is receiving an ICMP
port unreachable from 200.175.75.101 in response to a TCP packet it sent
(or SNAT-ed for a machine behind it).
there are those that would say that it's actually not a bad idea to
allow ICMP errors (types 3, 11, 12) into/through your firewall. YMMV.
icmp types/codes reference:
http://www.iana.org/assignments/icmp-parameters
-j
--
Jason Opperisano <opie@xxxxxxxxxxx>
