[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Need help analyzing firewall log message


I know that there are types of ICMP packets and I know that
they are specified as like port numbers in firewall rules, but
I still don't know...:

1) There is a source and destination "port number". Which is
relevant? A packet sure couldn't have to ICMP types?

2) What does the one sending the packet want to effect?
   The message type must be one of the 2, so

3  = destination unreachable
	Don't know why I should get that from there
	All other d-u's come in from a "real" source.
13 = timestamp request
	What on earth would they want with a timestamp?
	And why over ICMP?



> -----Original Message-----
> From: Marcelo Couto [mailto:mcouto@itcbrasil.com.br]
> Sent: Thursday, September 14, 2000 8:27 PM
> To: Christian Pernegger; Debian security list; Debian user list
> Subject: RE: Need help analyzing firewall log message
> >From /usr/src/linux/include/linux/icmp.h:


> -----Original Message-----
> From: Christian Pernegger [mailto:pernegger@chello.at]
> Sent: quinta-feira, 14 de setembro de 2000 14:59
> To: Debian security list; Debian user list
> Subject: Need help analyzing firewall log message
> Importance: Low
> Sep 14 19:41:44 jesus kernel: Packet log: \
> input DENY eth1 PROTO=1 x.x.x.x:13 L=56 S=0x00 
> I=3405 F=0x0000
> T=255 (#4)
> Happens in bursts of ~7, once a day, maybe more
> eth1 is the external interface, connected to a cable modem that is fully
> transparent.
> (That is I block all incoming/outgoing private LAN addresses and it still
> works)
> This is the only thing that I ever see coming in from a private address.
> Protocol 1 is ICMP according to /etc/protocols.
> seems to be other end of the cable modem bridge. (I 
> made a route
> and checked.)
> The target ip is my box.
> How do I read the ports in ICMP logs?
> I'm sure it's legit, I just wanna know WTF my ISP is doing...
> Thanks
> Christian

Reply to: