Re: strange log on gateway inside []

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Michele Petrazzo - Unipex a écrit :
> Hi list,
> I have a firewall that log some strange, for me, packets on the OUTPUT
> chain that I haven't see before. This is a typical log:
> 
> Firewall DROPOUT- IN= OUT=eth0 SRC=MYPUBBIP DST=188.153.11.87
>     LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=49303 PROTO=ICMP TYPE=3 CODE=3
> [SRC=188.153.11.87 DST=MYADDITIONALIP LEN=64 TOS=0x00 PREC=0x00 TTL=118
> ID=28851 DF PROTO=TCP SPT=12387 DPT=51684 WINDOW=17424 RES=0x00 ACK SYN
> URGP=0 ]
> 
> My output chain:
> *filter
> :OUTPUT DROP [4831251:620928037]
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -j LOG --log-prefix "Firewall DROPOUT- "
> 
> On it I have more that one pubb ip addrs and, the MYPUBBIP is the first
> and primary, the MYADDITIONALIP if one of the secondaries.
> 
> The question. Why I see this log and why my fw want to talk with
> external and, the last, why the kernel double log talk and one is inside
> the brackets  [ ] ?

This is an ICMP error packet. Type 3 code 3 means "destination port
unreachable". An ICMP error packet contains the beginning (including the
header) of the original packet which triggered the error, printed within
brackets in the log. Here the original packet was TCP from 188.153.11.87
to MYADDITIONALIP. ICMP port unreachable is not the natural reply to an
unexpected TCP packet, so I guess it was generated by a REJECT target in
the INPUT or FORWARD chain. If the original packet was in the INVALID
state (or UNTRACKED if you used the NOTRACK target), then the ICMP error
packet is in the INVALID state instead of RELATED.


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux