Can't interpret this log entry

Jason Opperisano opie at 817west.com
Fri Sep 24 18:44:44 CEST 2004


On Fri, 2004-09-24 at 11:53, Eric Ellis wrote:
> I'm slightly confused about this log entry that I'm seeing pop up in my 
> syslog.
> 
> The firewall is 200.21.1.254, on a private net.
> 
> Sep 24 11:57:03 firewall kernel: IN=eth0 OUT= 
> MAC=00:40:05:3d:51:e9:00:50:3e:ed:28:a0:08:00 SRC=200.175.75.101 DST=200.2
> 1.1.254 LEN=56 TOS=0x00 PREC=0x00 TTL=43 ID=10814 PROTO=ICMP TYPE=3 
> CODE=3 [SRC=200.21.1.254 DST=200.175.75.101 LEN=48 T
> OS=0x00 PREC=0x00 TTL=102 ID=2554 DF PROTO=TCP INCOMPLETE [8 bytes] ] 
> 
> 
> it *almost* looks like my box is sending an ICMP query, and getting a 
> "port closed" response.  The thing that bothers me about this is that I 
> don't allow ICMP to talk on the box at all, so I shouldn't be sending 
> ICMP, or if the machine tries to, I should be getting it logged, as I'm 
> logging all of my drops.
> 
> Confused.

it appears as though your firewall (200.21.1.254) is receiving an ICMP
port unreachable from 200.175.75.101 in response to a TCP packet it sent
(or SNAT-ed for a machine behind it).

there are those that would say that it's actually not a bad idea to
allow ICMP errors (types 3, 11, 12) into/through your firewall.  YMMV.

icmp types/codes reference:
        http://www.iana.org/assignments/icmp-parameters
        
-j

-- 
Jason Opperisano <opie at 817west.com>




More information about the netfilter mailing list