Mailinglist Archive: opensuse (1470 mails)

< Previous Next >
Re: [opensuse] What is the meaning of these firewall log entries?
On 2016-02-13 13:32, Darryl Gregorash wrote:
On 12/02/16 11:47 PM, Andrei Borzenkov wrote:


The problem is, "blocks" is the /right/ word. AFAIK, you will only get a
"port unreachable" reply from a remote system *if and only if* the port
is blocked by the remote's firewall. Someone correct me if I am wrong,
but I do believe, if the port is open but there is no service listening,
then the message will simply time out without a response.

And it is open in the firewall.


Perhaps iptables is smart enough to figure that out, and then send a
"time exceeded" response (ICMP type 11), but that certainly is not what
is happening here.

Correct.

I have determined some important info: the even happens only when I hibernate
the sender machine (...14).
I saw the messages going by in the screen while the machine hibernates.
The timestamp corresponds to the thawing, because then is when it has a chance
to write them:


<0.4> 2016-02-13 14:23:10 Telcontar kernel - - - [1086086.829327]
SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14
LEN=62 TOS=0x00 PREC=0xC0 TTL=64 ID=52521 PROTO=ICMP TYPE=3 CODE=3
[SRC=192.168.1.14 DST=192.168.1.15 LEN=34 TOS=0x00 PREC=0x00 TTL=64
ID=3399 PROTO=UDP SPT=6666 DPT=6666 LEN=14 ]

<0.4> 2016-02-13 14:23:12 Telcontar kernel - - - [1086086.830161]
SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14
LEN=107 TOS=0x00 PREC=0xC0 TTL=64 ID=52522 PROTO=ICMP TYPE=3 CODE=3
[SRC=192.168.1.14 DST=192.168.1.15 LEN=79 TOS=0x00 PREC=0x00 TTL=64
ID=3401 PROTO=UDP SPT=6666 DPT=6666 LEN=59 ]

<0.4> 2016-02-13 14:23:12 Telcontar kernel - - - [1086086.831316]
SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14
LEN=369 TOS=0x00 PREC=0xC0 TTL=64 ID=52523 PROTO=ICMP TYPE=3 CODE=3
[SRC=192.168.1.14 DST=192.168.1.15 LEN=341 TOS=0x00 PREC=0x00 TTL=64
ID=3403 PROTO=UDP SPT=6666 DPT=6666 LEN=321 ]

<0.4> 2016-02-13 14:23:12 Telcontar kernel - - - [1086086.831843]
SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14
LEN=370 TOS=0x00 PREC=0xC0 TTL=64 ID=52524 PROTO=ICMP TYPE=3 CODE=3
[SRC=192.168.1.14 DST=192.168.1.15 LEN=342 TOS=0x00 PREC=0x00 TTL=64
ID=3405 PROTO=UDP SPT=6666 DPT=6666 LEN=322 ]

<0.4> 2016-02-13 14:23:12 Telcontar kernel - - - [1086086.832754]
SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14
LEN=372 TOS=0x00 PREC=0xC0 TTL=64 ID=52525 PROTO=ICMP TYPE=3 CODE=3
[SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64
ID=3407 PROTO=UDP SPT=6666 DPT=6666 LEN=324 ]



During all this time, on 192.168.1.15 there is a "netcat -u -l 6666 | tee -a
remote_log" process logging entries coming from 192.168.1.14, by netconsole,
which TODAY is indeed working, as I got entries in the remote_log file:


[1086086.299979] Syncing filesystems ... [1086086.299979] Syncing filesystems
... done.
[1086086.828979] Freezing user space processes ...
[1086086.829327] SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14
LEN=62 TOS=0x00 PREC=0xC0 TTL=64 ID=52521 PROTO=ICMP TYPE=3 CODE=3
[SRC=192.168.1.14 DST=192.168.1.15 LEN=34 TOS=0x00 PREC=0x00 TTL=64 ID=3399
PROTO=UDP SPT=6666 DPT=6666 LEN=14 ]
[1086086.830161] SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14
LEN=107 TOS=0x00 PREC=0xC0 TTL=64 ID=52522 PROTO=ICMP TYPE=3 CODE=3
[SRC=192.168.1.14 DST=192.168.1.15 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=3401
PROTO=UDP SPT=6666 DPT=6666 LEN=59 ]
...
...
[1086096.119680] Restarting kernel threads ... done.
[1086096.125260] Restarting tasks ... done.

So everything is working now, except those dropped ICMP messages despite the
port being open, and the packages being accepted and logged. But only during
the hibernation process.


--
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 "Bottle" at Telcontar)

< Previous Next >