On Sat, 21 Apr 2001, Konstantin (Kastus) Shchuka wrote:
Hi SuSErs,
What is udp port 3 for? /etc/services names it as compressnet.
The reason I'm asking is that I keep getting lots of messages in my log like:
Apr 21 15:40:43 fizia kernel: Packet log: output DENY eth0 PROTO=1 x.x.x.x:3 y.y.y.y:3 L=95 S=0xC0 I=0 F=0x4000 T=255 (#3)
As I interpret it, some process on my machine tries to send a UDP packet from port 3 to port 3 on some host on ISP network. Firewall rules deny this.
Well, actually, PROTO=1 is ICMP, not UDP. It doesn't use ports, so the ipchains logging facility uses those places in the format to display the ICMP message type and reason code instead. ICMP code 3, reason 3 means 'destination unreachable; port unreachable'. Another host is trying to connect to a service on your host. Your host is not running that service, so it's attempting to tell the requestor politely to go away. ICMP 3 is the way to do this. However, your ipchains ruleset is preventing the outgoing ICMP 3 message from being sent, and it's writing this message to the log to let you know. So much for the technical side. Why? Many firewall designers choose to block all unnecessary services. They sometimes differ on what's 'necessary', though. ICMP is frequently blocked by designers who prefer the 'stealth' approach - stay absolutely silent, and they'll think you're not even there. Any response, even a 'go away, this door is locked' message might reveal some information about your system that might conceivably be expoited. Now the other side of the coin. Several common, usually necessary services, like SMTP and DNS, for example, routinely and legitimately issue an 'ident' call to identify the requestor for logging purposes, before opening the connection. They seldom refuse to serve, even if the requestor's host isn't running an 'ident' service. Since 'ident' by design gives out information about users on the system, few cautious people choose to run it. However, if you choose to close the 'ident' port, and you ALSO choose to DENY outgoing ICMP 3,3's, then your DNS and SMTP servers will wait for a while expecting an ident response, before they time out, finally assume that you're not running ident, and open the connection anyway. If you allow outgoing ICMP 3,3's, you won't see that initial delay every time you access your DNS or SMTP relay. You didn't publish the destination IP address from your message. I don't need to see it, but you might look yourself to see if it's a known server that you would like more prompt service from... -- Rick Green "I have the heart of a little child, and the brain of a genius. ... and I keep them in a jar under my bed"