what the heck does this log mean?
I'm using a woody box for a firewall following the "Serious Example" in
the ipchains howto (I've previously posted details about this here:
http://lists.debian.org/debian-firewall/2001/debian-firewall-200108/msg00004.html).
I'm using kernel 2.2.17. Things have been stable and working well
without messing with the setup for months.
However, infrequently (once ever month or two) in the past but now more
frequently (several times in the past 2 days), traffic through this box
will suddenly stop, and I see this in /var/log/messages (the x.y.z.a ip
address is the address of the external interface of the firewall box:
Nov 14 08:29:22 fwbox -- MARK --
Nov 14 08:38:10 fwbox kernel: Packet log: ext-if DENY lo PROTO=1
x.y.z.a:3 x.y.z.a:1 L=88 S=0xC0 I=144 F=0x0000 T=255 (#1)
Nov 14 08:38:10 fwbox kernel: Packet log: ext-if DENY lo PROTO=1
x.y.z.a:3 x.y.z.a:1 L=88 S=0xC0 I=145 F=0x0000 T=255 (#1)
Nov 14 08:38:10 fwbox kernel: Packet log: ext-if DENY lo PROTO=1
x.y.z.a:3 x.y.z.a:1 L=88 S=0xC0 I=146 F=0x0000 T=255 (#1)
Nov 14 08:38:15 fwbox kernel: Packet log: ext-if DENY lo PROTO=1
x.y.z.a:3 x.y.z.a:1 L=88 S=0xC0 I=147 F=0x0000 T=255 (#1)
Nov 14 08:38:22 fwbox kernel: Packet log: ext-if DENY lo PROTO=1
x.y.z.a:3 x.y.z.a:1 L=88 S=0xC0 I=148 F=0x0000 T=255 (#1)
Nov 14 08:43:42 fwbox kernel: Packet log: ext-if DENY lo PROTO=1
x.y.z.a:3 x.y.z.a:1 L=100 S=0xD0 I=155 F=0x0000 T=255 (#1)
Nov 14 08:43:42 fwbox kernel: Packet log: ext-if DENY lo PROTO=1
x.y.z.a:3 x.y.z.a:1 L=109 S=0xC0 I=156 F=0x0000 T=255 (#1)
Nov 14 08:43:42 fwbox kernel: Packet log: ext-if DENY lo PROTO=1
x.y.z.a:3 x.y.z.a:1 L=100 S=0xD0 I=157 F=0x0000 T=255 (#1)
...
This stuff ricochets on the loopback lo with a 'destination-unreachable'
ICMP packet as the source protocol and an 'unassigned' ICMP packet
(type 1) as the destination. Is this a smurf attack? If so, am I getting
hammered from outside? Have I been breached and a trojan is trying to
launch an attack from my firewall box? Or is this something caused by a
configuration error on my part?
(http://linux.oreillynet.com/lpt/a/linux/2000/03/10/netadmin/ddos.html
suggests that logging can itself trigger DOS)
This continues until I restart the box Windoze style. Is there a more
appropriate way to abort this?
As an attempted preventative, I've added to the firewall initialization
script to turn on /proc/sys/net/ipv4/icmp_ignore_echo_broadcasts What is
the chance that this will take care of the problem?
*MANY THANKS!!* for any help on this!
Stan
BTW, the relevant part of the ipchains script (for the external
interface of the firewall box) is this:
# rules for firewall box itself
# EXTIF
# EXTIF is eth1
# I'm not running DNS here but rather pointing to the ISP's DNS
# allow www (for dselect upgrade of firewall box)
# allow DNS so www will work
/sbin/ipchains -A ext-if -i ! $EXTIF -j DENY -l
/sbin/ipchains -A ext-if -p TCP --dport www -j ACCEPT
/sbin/ipchains -A ext-if -p TCP -s $DNSIP1 domain -j ACCEPT
/sbin/ipchains -A ext-if -p UDP -s $DNSIP1 domain -j ACCEPT
/sbin/ipchains -A ext-if -p TCP -s $DNSIP2 domain -j ACCEPT
/sbin/ipchains -A ext-if -p UDP -s $DNSIP2 domain -j ACCEPT
/sbin/ipchains -A ext-if -p TCP --dport 61000:65096 -j ACCEPT
/sbin/ipchains -A ext-if -p UDP --dport 61000:65096 -j ACCEPT
/sbin/ipchains -A ext-if -p ICMP --icmp-type ping -j ACCEPT
/sbin/ipchains -A ext-if -p ICMP --icmp-type pong -j ACCEPT
/sbin/ipchains -A ext-if -j icmp-acc
/sbin/ipchains -A ext-if -j DENY -l
begin:vcard
n:Kaufman;Stan
tel;fax:415.681.4954
tel;work:415.505.9465
x-mozilla-html:FALSE
url:http://www.epimetrics.com/
org:The Epimetrics Group
adr:;;144 Idora Avenue;San Francisco;CA;94127;
version:2.1
email;internet:skaufman@epimetrics.com
title:Principal
x-mozilla-cpt:;6592
fn:Stan Kaufman
end:vcard
Reply to: