Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
RE: [suse-security] Strange Log Message
  • From: "Reckhard, Tobias" <Reckhard@xxxxxxxxxx>
  • Date: Wed, 18 Jul 2001 16:00:56 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D134809B@xxxxxxxxxxxxxxxxx>
> I'm getting an unusual message on the console which says.....
>
> Packet log: output DENY ippp0 PROTO=17 xxx.xxx.xxx.xxx: 61417
> 194.247.47.47 L=78 S=0x00 I=36552 F=0x4000 T=63 (#5)
>
Are you sure that's all there is? I'm missing the destination port number.
61417 is the source port. The destination port could tell us what the packet
was supposed to achieve.

> Both the 61417 and the 36552 numbers rise all of the time to the next
> one and then drop back down to another one. Also getting ........
>
The rise in those numbers is their expected behaviour, since the source port
is allocated by the IP masquerading code and the IP ID, used to distinguish
IP packets from one another, seems to change in the same fashion in the
Linux TCP/IP stack.

> IP_MASQ: lp_fw_masquerade(): change masq.addr from xxx.xxx.xxx.xx to
> xxx..xxx.xxxx.xx. Both these addresses are on this machine. One of
> them is eth0 and the other is the address of the machine.
>
Could be the machine is running out of source ports to use or the
masquerading table per source address is full. I don't know if the latter is
real, though, i.e. if there is a separate table per source address.

> Seen this on every SuSE 7.1 machine that I've installed. Anyone know
> what to do about it ?
>
Well, why do you have ipchains rules configured to block that traffic and
what is generating it, those are the questions to be answered.

Cheers,
Tobias


< Previous Next >
Follow Ups