Can't interpret this log entry
opie at 817west.com
Fri Sep 24 18:44:44 CEST 2004
On Fri, 2004-09-24 at 11:53, Eric Ellis wrote:
> I'm slightly confused about this log entry that I'm seeing pop up in my
> The firewall is 126.96.36.199, on a private net.
> Sep 24 11:57:03 firewall kernel: IN=eth0 OUT=
> MAC=00:40:05:3d:51:e9:00:50:3e:ed:28:a0:08:00 SRC=188.8.131.52 DST=200.2
> 1.1.254 LEN=56 TOS=0x00 PREC=0x00 TTL=43 ID=10814 PROTO=ICMP TYPE=3
> CODE=3 [SRC=184.108.40.206 DST=220.127.116.11 LEN=48 T
> OS=0x00 PREC=0x00 TTL=102 ID=2554 DF PROTO=TCP INCOMPLETE [8 bytes] ]
> it *almost* looks like my box is sending an ICMP query, and getting a
> "port closed" response. The thing that bothers me about this is that I
> don't allow ICMP to talk on the box at all, so I shouldn't be sending
> ICMP, or if the machine tries to, I should be getting it logged, as I'm
> logging all of my drops.
it appears as though your firewall (18.104.22.168) is receiving an ICMP
port unreachable from 22.214.171.124 in response to a TCP packet it sent
(or SNAT-ed for a machine behind it).
there are those that would say that it's actually not a bad idea to
allow ICMP errors (types 3, 11, 12) into/through your firewall. YMMV.
icmp types/codes reference:
Jason Opperisano <opie at 817west.com>
More information about the netfilter