Thanks to all for the replies that helped me formulate this working theory. Here it is: This system is a low priority MX record, and thus should not regularly receive inbound mail. Seconds before this FW log entry, there was an inbound mail from the listed address, 211.26.232.31. The spam filters rejected the mail and attempted to bounce it or deny it and some router along the way, 203.134.26.220, sent a source-quench (PROTO=ICMP TYPE=4) which was blocked by SuSEfirewall2 and logged. Any comments or corrections are most welcome. Grant -----Original Message----- From: C. E. Brooks [mailto:charles.brooks@swgsys.com] Sent: Tuesday, December 09, 2003 5:55 PM To: Sturgis, Grant; suse-security@suse.com Subject: Re: [suse-security] SuSEfirewall2 Logging Question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The data in the "[]" is from the IP packet that ICMP is reporting. The brackets are used to distinguish the reported SRC/DST from those of the ICMP packet itself. In this case the type code of "0" means that the report is an "echo reply". That is the normal result of executing "ping". The ICMP messages report SRC/DST IP addresses that are copied from the IP packet that caused the ICMP packet to be generated. See RFC792 at URL http://www.ietf.org/rfc/rfc0792.txt Yours, Charles /ceb\ - From RFC792 : " ... Occasionally a gateway or destination host will communicate with a source host, for example, to report an error in datagram processing. For such purposes this protocol, the Internet Control Message Protocol (ICMP), is used. ICMP, uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module. ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. The Internet Protocol is not designed to be absolutely reliable. The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable. There are still no guarantees that a datagram will be delivered or a control message will be returned. Some datagrams may still be undelivered without any report of their loss. The higher level protocols that use IP must implement their own reliability procedures if reliable communication is required. The ICMP messages typically report errors in the processing of datagrams. To avoid the infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages. Also ICMP messages are only sent about errors in handling fragment zero of fragemented datagrams. (Fragment zero has the fragment offeset equal zero). "

I am getting the following logs from a SuSEfirewall2:

Dec 7 23:01:58 mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT= MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220 DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29751 DF PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ] Dec 7 23:01:58 mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT= MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220 DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29755 DF PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=111 TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ] Dec 7 23:02:02 mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT= MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220 DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29843 DF PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=72 TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ]

My questions are:

Why is the MAC address what appears to be 2 MAC addresses concatenated together? Why is there SRC and DST inside [] and why are they different from the other IPs mentioned? This system's IP address is 192.168.100.242, which appears as the DST in the non-[] text, but is the SRC in the test inside the []. What gives?

Any comments are most welcome.

Grant

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/1m7yu6hVDKPW4HMRAkh7AJ0Yfv2ENHKc+T7ucb5B1YH4geZuBgCcDcYT a1Kr0H9g10ZwFtgxzm2iKR4= =XhW3 -----END PGP SIGNATURE----- This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.