El vie, 24 de 09 de 2004 a las 17:53, Eric Ellis escribiÃ: > I'm slightly confused about this log entry that I'm seeing pop up in my > syslog. > > The firewall is 200.21.1.254, on a private net. > > Sep 24 11:57:03 firewall kernel: IN=eth0 OUT= > MAC=00:40:05:3d:51:e9:00:50:3e:ed:28:a0:08:00 SRC=200.175.75.101 DST=200.2 > 1.1.254 LEN=56 TOS=0x00 PREC=0x00 TTL=43 ID=10814 PROTO=ICMP TYPE=3 > CODE=3 [SRC=200.21.1.254 DST=200.175.75.101 LEN=48 T > OS=0x00 PREC=0x00 TTL=102 ID=2554 DF PROTO=TCP INCOMPLETE [8 bytes] ] > > > it *almost* looks like my box is sending an ICMP query, and getting a > "port closed" response. The thing that bothers me about this is that I > don't allow ICMP to talk on the box at all, so I shouldn't be sending > ICMP, or if the machine tries to, I should be getting it logged, as I'm > logging all of my drops. > > Confused. It seems you are getting an ICMP Port Unreachable from the machine the firewall is trying to connect. It's not a bad idea to let this kind of traffic to go through your firewall, because if the application don't get this kind of message it can try again to connect to the port. It's a kind of response that use to give other firewall when they don't want your traffic to go through them. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
