On Sun, 22 Apr 2001, Konstantin (Kastus) Shchuka wrote:
Another host is trying to connect to a service on your host. Your host is not running that service, so it's attempting to tell the requestor politely to go away. ICMP 3 is the way to do this. However, your ipchains ruleset is preventing the outgoing ICMP 3 message from being sent, and it's writing this message to the log to let you know.
I'm using SuSEfirewall, it generates rule automatically. There is only one place which deals with icmp, it's FW_KERNEL_SECURITY="yes". Is it correct? A few months ago, I posed this same question on the suse-security list, and marc told me to simply set FW_ALLOW_FW_TRACEROUTE="yes", and SuSEfirewall would handle it.
-- Rick Green "I have the heart of a little child, and the brain of a genius. ... and I keep them in a jar under my bed"