Hi!
In our lab a firewall (SuSE 6.4) is connected to our subnet to test it. The name or IP-Address of the firewall is not known to any DNS. Nevertheless since about 2 weeks I get the following log of ipchains (a.b.c.d is IP-Adress of our firewall):
Sep 27 16:26:39 fw kernel: Packet log: input DENY eth2 PROTO=1 207.88.240.105:3 a.b.c.d:1 L=56 S=0x00 I=0 F=0x0000 T=241 (#22) Sep 27 18:57:57 fw kernel: Packet log: input DENY eth2 PROTO=1 207.88.240.105:3 a.b.c.d:1 L=56 S=0x00 I=0 F=0x0000 T=239 (#22) Sep 28 00:05:10 fw kernel: Packet log: input DENY eth2 PROTO=1 209.249.0.17:11 a.b.c.d:0 L=56 S=0x00 I=0 F=0x0000 T=240 (#22) Sep 28 13:54:07 fw kernel: Packet log: input DENY eth2 PROTO=1 207.88.240.105:3 a.b.c.d:1 L=56 S=0x00 I=0 F=0x0000 T=239 (#22)
Those pakets arrive about 2 times a day. Is this anything I have to worry about?
Thanks in advance, Bernhard
proto 1 is icmp, type 3 is uhhhh (cheats and looks at rfc 792, hey, I'm hungover!) 3 = port unreachable. These could be 100% innocent packets, the remote system basically telling you that "that port is unreachable (do you use the internet through this firewall? if so that's probably it). OTOH they could be dangerous packets generated by an attacker (possible but unlikely). As for worrying, depends how paranoid you are I suppose. -Kurt