Hi Everyone. Since opening up the http port with Yast2 under SuSE 8.0 (to be able to serve web pages via apache) /var/log/firewall has grown to enormous proportions with stuff like this: Sep 27 22:11:37 altea kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT= MAC=00:50:bf:d6:1d:56:00:60:68:81:10:c7:08:00 SRC=194.179.92.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=252 ID=5318 PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.1.2 DST=134.76.11.100 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=17091 DF PROTO=TCP INCOMPLETE [8 bytes] ] Sep 27 22:17:18 altea kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:50:bf:d6:1d:56:00:60:68:81:10:c7:08:00 SRC=80.34.65.60 DST=192.168.1.2 LEN=51 TOS=0x00 PREC=0x00 TTL=116 ID=12846 PROTO=UDP SPT=2933 DPT=4668 LEN=31 I close port 80 and all is back calm again. Any security gurus able to give any advice here? Thanks, Steve.
* steve (fsanta@arrakis.es) [020927 15:15]:
Sep 27 22:11:37 altea kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT= MAC=00:50:bf:d6:1d:56:00:60:68:81:10:c7:08:00 SRC=194.179.92.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=252 ID=5318 PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.1.2 DST=134.76.11.100 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=17091 DF PROTO=TCP INCOMPLETE [8 bytes] ]
194.179.92.1 is sending source quench messages to 192.168.1.2 (i.e., they are asking you to slow down your transmission) and you are blocking them. This may or may not be what you want but it's configurable.
Sep 27 22:17:18 altea kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:50:bf:d6:1d:56:00:60:68:81:10:c7:08:00 SRC=80.34.65.60 DST=192.168.1.2 LEN=51 TOS=0x00 PREC=0x00 TTL=116 ID=12846 PROTO=UDP SPT=2933 DPT=4668 LEN=31
80.34.65.60 sent a datagram to port 4668 on 192.168.1.2 and you blocked it. Since it's a high port this could be anything; a masqueraded udp connection, port scan, etc. If you are running a nameserver on the firewall you'll need to allow this, otherwise just ignore it. You may want to decrease the deny logging a bit unless you are still debugging the firewall. -- -ckm
On Saturday 28 September 2002 00:50, Christopher Mahmood wrote:
* steve (fsanta@arrakis.es) [020927 15:15]:
Sep 27 22:11:37 altea kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT= MAC=00:50:bf:d6:1d:56:00:60:68:81:10:c7:08:00 SRC=194.179.92.1 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=252 ID=5318 PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.1.2 DST=134.76.11.100 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=17091 DF PROTO=TCP INCOMPLETE [8 bytes] ]
194.179.92.1 is sending source quench messages to 192.168.1.2 (i.e., they are asking you to slow down your transmission) and you are blocking them. This may or may not be what you want but it's configurable.
Does that mean that they can't see my website? In which case how can I slow down the transmission? Thanks, Steve.
participants (2)
-
Christopher Mahmood -
steve