RE: Need help analyzing firewall log message
Thanks.
I know that there are types of ICMP packets and I know that
they are specified as like port numbers in firewall rules, but
I still don't know...:
1) There is a source and destination "port number". Which is
relevant? A packet sure couldn't have to ICMP types?
2) What does the one sending the packet want to effect?
The message type must be one of the 2, so
3 = destination unreachable
Don't know why I should get that from there
All other d-u's come in from a "real" source.
13 = timestamp request
What on earth would they want with a timestamp?
And why over ICMP?
Regards
Christian
> -----Original Message-----
> From: Marcelo Couto [mailto:mcouto@itcbrasil.com.br]
> Sent: Thursday, September 14, 2000 8:27 PM
> To: Christian Pernegger; Debian security list; Debian user list
> Subject: RE: Need help analyzing firewall log message
>
>
>
> >From /usr/src/linux/include/linux/icmp.h:
<snip>
> -----Original Message-----
> From: Christian Pernegger [mailto:pernegger@chello.at]
> Sent: quinta-feira, 14 de setembro de 2000 14:59
> To: Debian security list; Debian user list
> Subject: Need help analyzing firewall log message
> Importance: Low
>
>
> Sep 14 19:41:44 jesus kernel: Packet log: \
> input DENY eth1 PROTO=1 10.34.15.1:3 x.x.x.x:13 L=56 S=0x00
> I=3405 F=0x0000
> T=255 (#4)
>
> Happens in bursts of ~7, once a day, maybe more
>
> eth1 is the external interface, connected to a cable modem that is fully
> transparent.
> (That is I block all incoming/outgoing private LAN addresses and it still
> works)
> This is the only thing that I ever see coming in from a private address.
>
> Protocol 1 is ICMP according to /etc/protocols.
> 10.34.15.1 seems to be other end of the cable modem bridge. (I
> made a route
> and checked.)
> The target ip is my box.
>
> How do I read the ports in ICMP logs?
>
> I'm sure it's legit, I just wanna know WTF my ISP is doing...
>
> Thanks
>
> Christian
Reply to: