Hello, Michele Petrazzo - Unipex a écrit : > Hi list, > I have a firewall that log some strange, for me, packets on the OUTPUT > chain that I haven't see before. This is a typical log: > > Firewall DROPOUT- IN= OUT=eth0 SRC=MYPUBBIP DST=188.153.11.87 > LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=49303 PROTO=ICMP TYPE=3 CODE=3 > [SRC=188.153.11.87 DST=MYADDITIONALIP LEN=64 TOS=0x00 PREC=0x00 TTL=118 > ID=28851 DF PROTO=TCP SPT=12387 DPT=51684 WINDOW=17424 RES=0x00 ACK SYN > URGP=0 ] > > My output chain: > *filter > :OUTPUT DROP [4831251:620928037] > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > -A OUTPUT -j LOG --log-prefix "Firewall DROPOUT- " > > On it I have more that one pubb ip addrs and, the MYPUBBIP is the first > and primary, the MYADDITIONALIP if one of the secondaries. > > The question. Why I see this log and why my fw want to talk with > external and, the last, why the kernel double log talk and one is inside > the brackets [ ] ? This is an ICMP error packet. Type 3 code 3 means "destination port unreachable". An ICMP error packet contains the beginning (including the header) of the original packet which triggered the error, printed within brackets in the log. Here the original packet was TCP from 188.153.11.87 to MYADDITIONALIP. ICMP port unreachable is not the natural reply to an unexpected TCP packet, so I guess it was generated by a REJECT target in the INPUT or FORWARD chain. If the original packet was in the INVALID state (or UNTRACKED if you used the NOTRACK target), then the ICMP error packet is in the INVALID state instead of RELATED. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
