Mailinglist Archive: opensuse-security (394 mails)

< Previous Next >
RE: [suse-security] SuSEfirewall2 Logging Question - WORKING THEORY
  • From: "Sturgis, Grant" <Grant.Sturgis@xxxxxxxxxxxxxxxxxx>
  • Date: Wed, 10 Dec 2003 11:35:00 -0700
  • Message-id: <17CAB0BF27BCFC47B0E4554A0E2F962B4CB4@xxxxxxxxxxxxxxxx>
Thanks to all for the replies that helped me formulate this working theory.

Here it is:

This system is a low priority MX record, and thus should not regularly receive inbound mail. Seconds before this FW log entry, there was an inbound mail from the listed address, 211.26.232.31. The spam filters rejected the mail and attempted to bounce it or deny it and some router along the way, 203.134.26.220, sent a source-quench (PROTO=ICMP TYPE=4) which was blocked by SuSEfirewall2 and logged.

Any comments or corrections are most welcome.

Grant

-----Original Message-----
From: C. E. Brooks [mailto:charles.brooks@xxxxxxxxxx]
Sent: Tuesday, December 09, 2003 5:55 PM
To: Sturgis, Grant; suse-security@xxxxxxxx
Subject: Re: [suse-security] SuSEfirewall2 Logging Question


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



The data in the "[]" is from the IP packet that ICMP is
reporting. The brackets are used to distinguish the reported
SRC/DST from those of the ICMP packet itself.

In this case the type code of "0" means that the report is
an "echo reply". That is the normal result of executing
"ping".

The ICMP messages report SRC/DST IP addresses that
are copied from the IP packet that caused the ICMP packet
to be generated.

See RFC792 at URL http://www.ietf.org/rfc/rfc0792.txt

Yours,

Charles

/ceb\


- From RFC792 :

" ... Occasionally a
gateway or destination host will communicate with a source host, for
example, to report an error in datagram processing. For such
purposes this protocol, the Internet Control Message Protocol (ICMP),
is used. ICMP, uses the basic support of IP as if it were a higher
level protocol, however, ICMP is actually an integral part of IP, and
must be implemented by every IP module.

ICMP messages are sent in several situations: for example, when a
datagram cannot reach its destination, when the gateway does not have
the buffering capacity to forward a datagram, and when the gateway
can direct the host to send traffic on a shorter route.

The Internet Protocol is not designed to be absolutely reliable. The
purpose of these control messages is to provide feedback about
problems in the communication environment, not to make IP reliable.
There are still no guarantees that a datagram will be delivered or a
control message will be returned. Some datagrams may still be
undelivered without any report of their loss. The higher level
protocols that use IP must implement their own reliability procedures
if reliable communication is required.

The ICMP messages typically report errors in the processing of
datagrams. To avoid the infinite regress of messages about messages
etc., no ICMP messages are sent about ICMP messages. Also ICMP
messages are only sent about errors in handling fragment zero of
fragemented datagrams. (Fragment zero has the fragment offeset equal
zero). "



> I am getting the following logs from a SuSEfirewall2:
>
> Dec 7 23:01:58 mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT=
> MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220
> DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29751 DF
> PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=60
> TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ] Dec 7 23:01:58
> mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT=
> MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220
> DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29755 DF
> PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=111
> TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ] Dec 7 23:02:02
> mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT=
> MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220
> DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29843 DF
> PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=72
> TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ]
>
> My questions are:
>
> Why is the MAC address what appears to be 2 MAC addresses concatenated
> together? Why is there SRC and DST inside [] and why are they different
> from the other IPs mentioned? This system's IP address is 192.168.100.242,
> which appears as the DST in the non-[] text, but is the SRC in the test
> inside the []. What gives?
>
> Any comments are most welcome.
>
> Grant
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/1m7yu6hVDKPW4HMRAkh7AJ0Yfv2ENHKc+T7ucb5B1YH4geZuBgCcDcYT
a1Kr0H9g10ZwFtgxzm2iKR4=
=XhW3
-----END PGP SIGNATURE-----

This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is intended
to be for the use of the individual or entity named above. If you are not the
intended recipient, please be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited. Please notify the
sender of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.


< Previous Next >
This Thread
  • No further messages