Re: Unusual logging
petes@movieworld.com.au writes:
> Packet log: input DENY eth0 PROTO=1 yyy.y.yy.yy:3 xxx.xx.xxx.xxx:13 L=56
> S=0x00 I=29688 F=0x0000 T=244 (#30)
>
> It's the :13 part that I found unusual, A little research has revealed
> that it may be an attempt to fingerprint our system to see what is
> available. I was lead to believe that this is the Timeday port. Is this
> correct ? xxx is our public IP address. And yyy is the remote IP address
> that is making the contact.
You should've started with the PROTO=1 bit...
| zsh, spodzone 12:00AM piglet % ipchains -h icmp
| ipchains 1.3.10, 1-Sep-2000
|
| Valid ICMP Types:
| Type Code Description
| 0 0 echo-reply (pong)
| 3 destination-unreachable
[snip]
| 12 TOS-host-unreachable
| 13 communication-prohibited
| 14 host-precedence-violation
| 15 precedence-cutoff
to which the short answer is, "don't go there then". More to the point, you
should *not* be filtering ICMP type 3 anyway.
<http://logi.cc/linux/NetfilterLogAnalyzer.php3> is your friend.
~Tim
--
<http://spodzone.org.uk/>
Reply to: