RE: Need help analyzing firewall log message
ICMP messages can be of different types, but do not have port
assignments.
There are ICMP types like ping, ping responce, unreach, etc. There are
also
different types of ICMP unreach packets. Check out
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.html
for a
description, and for further information, look up the RFCs that the
document
references.
Mathew Johnston
PS RFCs are the BEST source for this type of information. Use them :)
> Thanks.
>
> I know that there are types of ICMP packets and I know that
> they are specified as like port numbers in firewall rules, but
> I still don't know...:
>
> 1) There is a source and destination "port number". Which is
> relevant? A packet sure couldn't have to ICMP types?
>
> 2) What does the one sending the packet want to effect?
> The message type must be one of the 2, so
>
> 3 = destination unreachable
> Don't know why I should get that from there
> All other d-u's come in from a "real" source.
> 13 = timestamp request
> What on earth would they want with a timestamp?
> And why over ICMP?
>
> Regards
>
> Christian
>
> > -----Original Message-----
> > From: Marcelo Couto [mailto:mcouto@itcbrasil.com.br]
> > Sent: Thursday, September 14, 2000 8:27 PM
> > To: Christian Pernegger; Debian security list; Debian user list
> > Subject: RE: Need help analyzing firewall log message
> >
> >
> >
> > >From /usr/src/linux/include/linux/icmp.h:
>
> <snip>
>
> > -----Original Message-----
> > From: Christian Pernegger [mailto:pernegger@chello.at]
> > Sent: quinta-feira, 14 de setembro de 2000 14:59
> > To: Debian security list; Debian user list
> > Subject: Need help analyzing firewall log message
> > Importance: Low
> >
> >
> > Sep 14 19:41:44 jesus kernel: Packet log: \
> > input DENY eth1 PROTO=1 10.34.15.1:3 x.x.x.x:13 L=56 S=0x00
> > I=3405 F=0x0000
> > T=255 (#4)
> >
> > Happens in bursts of ~7, once a day, maybe more
> >
> > eth1 is the external interface, connected to a cable modem that is
fully
> > transparent.
> > (That is I block all incoming/outgoing private LAN addresses and it
still
> > works)
> > This is the only thing that I ever see coming in from a private
address.
> >
> > Protocol 1 is ICMP according to /etc/protocols.
> > 10.34.15.1 seems to be other end of the cable modem bridge. (I
> > made a route
> > and checked.)
> > The target ip is my box.
> >
> > How do I read the ports in ICMP logs?
> >
> > I'm sure it's legit, I just wanna know WTF my ISP is doing...
> >
> > Thanks
> >
> > Christian
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: