--
Eric Ellis
Gilchrist County Sheriff's Department
IT Coordinator
eellis@xxxxxxxxxxxxxxxxxxxxxxx
352-463-3181
--- Begin Message ---
Jason Opperisano wrote:
On Fri, 2004-09-24 at 11:53, Eric Ellis wrote:
I'm slightly confused about this log entry that I'm seeing pop up in my
syslog.
The firewall is 200.21.1.254, on a private net.
Sep 24 11:57:03 firewall kernel: IN=eth0 OUT=
MAC=00:40:05:3d:51:e9:00:50:3e:ed:28:a0:08:00 SRC=200.175.75.101 DST=200.2
1.1.254 LEN=56 TOS=0x00 PREC=0x00 TTL=43 ID=10814 PROTO=ICMP TYPE=3
CODE=3 [SRC=200.21.1.254 DST=200.175.75.101 LEN=48 T
OS=0x00 PREC=0x00 TTL=102 ID=2554 DF PROTO=TCP INCOMPLETE [8 bytes] ]
it *almost* looks like my box is sending an ICMP query, and getting a
"port closed" response. The thing that bothers me about this is that I
don't allow ICMP to talk on the box at all, so I shouldn't be sending
ICMP, or if the machine tries to, I should be getting it logged, as I'm
logging all of my drops.
Confused.
it appears as though your firewall (200.21.1.254) is receiving an ICMP
port unreachable from 200.175.75.101 in response to a TCP packet it sent
(or SNAT-ed for a machine behind it).
See, the problem is that ICMP doesn't talk on the box *any* direction.
It all gets dropped. I'm not seeing how my Firewall or anything on the
private side is sending an ICMP request. A dump of my IPTable rules is
attached.
there are those that would say that it's actually not a bad idea to
allow ICMP errors (types 3, 11, 12) into/through your firewall. YMMV.
icmp types/codes reference:
http://www.iana.org/assignments/icmp-parameters
-j
root@firewall:~# iptables -vL
Chain INPUT (policy DROP 1249 packets, 187K bytes)
pkts bytes target prot opt in out source
destination
23839 7716K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
60 3738 ACCEPT all -- lo any anywhere
anywhere
2 96 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:ssh
4 192 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:socks
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:8000
347 16656 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:8080
0 0 ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpt:domain
64 3937 ACCEPT udp -- eth1 any anywhere
anywhere udp dpt:domain
4 1316 ACCEPT udp -- eth1 any anywhere
anywhere udp dpt:bootps
25278 3676K DROP udp -- any any anywhere
anywhere udp dpts:loc-srv:netbios-ssn
0 0 DROP tcp -- any any anywhere
anywhere tcp dpts:loc-srv:netbios-ssn
5802 1965K DROP udp -- any any anywhere
anywhere udp dpt:router
1249 187K LOG all -- any any anywhere
anywhere LOG level warning
Chain FORWARD (policy DROP 1398 packets, 77300 bytes)
pkts bytes target prot opt in out source
destination
1313K 979M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpt:http
90 4320 ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpt:https
0 0 ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpt:ftp
1 48 ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpt:pop3
1 48 ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpt:imap
0 0 ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpt:domain
23 1439 ACCEPT udp -- eth1 any anywhere
anywhere udp dpt:domain
4 192 ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpt:5900
5794 296K ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpts:6881:6889
95 4560 ACCEPT tcp -- eth1 any anywhere
anywhere tcp dpt:acmsoda
1398 77300 LOG all -- any any anywhere
anywhere LOG level warning
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
25955 8555K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
60 3738 ACCEPT all -- any lo anywhere
anywhere
395 25413 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:domain
400 28663 ACCEPT udp -- any any anywhere
anywhere udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:aol
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:mmcc
2 120 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:1863
0 0 ACCEPT udp -- any any anywhere
anywhere udp dpt:1863
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:https
0 0 ACCEPT udp -- any eth1 anywhere
anywhere udp spt:bootps
0 0 LOG all -- any any anywhere
anywhere LOG level warning
--
Eric Ellis
Gilchrist County Sheriff's Department
IT Coordinator
eellis@xxxxxxxxxxxxxxxxxxxxxxx
352-463-3181
--- End Message ---