Strange ICMP packets
in [Firewalls]
|
Prev: router contains a built-in switch versus router without a built-in switch
Next: zone alarm and OE
From: JC on 15 Sep 2005 08:53 Hi, I have noticed over the past few weeks a slow build up of reports of ICMP packets being blocked by my firewall. The firewall reports follow the pattern below:- ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, 1, LAN - The firewall drops them as 'Destination Unreachable' since port 1 doesn't exist on the firewall. I know that they aren't pings but I am puzzled as to what they are. My concern is that they may be legit traffic that is being blocked. Are others seeing these packets also? Can anyone tell me what these packets are? -- Cheers . . . JC
From: Duane Arnold on 15 Sep 2005 09:24 JC <jhoppyc(a)westnet.com.invalid> wrote in news:stqii11n4e9is5g5o5q0r1dgcrlje1or4c(a)4ax.com: > Hi, > > I have noticed over the past few weeks a slow build up of reports of > ICMP packets being blocked by my firewall. The firewall reports > follow the pattern below:- > > ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, > 1, LAN - > > The firewall drops them as 'Destination Unreachable' since port 1 > doesn't exist on the firewall. That just means that the packet filter/personal FW is dropping the unsolicited inbound packets and is sending back the proper response to the requester of 'Destination Unreachable'. There is a port 1 TCP/UDP but since the traffic is unsolicited, the packets are being dropped by the packet filter/personal FW. > I know that they aren't pings but I > am puzzled as to what they are. My concern is that they may be legit > traffic that is being blocked. If the traffic is being dropped by the packet filter/PFW, it's unsolicited inbound traffic the FW packet filter/PFW should not be letting through to the machine. You should find out who the IP belongs to with Arin Whois by entering the IP into the Whois search block. You should make the determination if the IP is a legit IP -- most likely it is not a legit IP. http://www.arin.net/index.html You should be happy that the unsolicited inbound traffic is being blocked and forget about it. Duane :)
From: Mailman on 15 Sep 2005 11:31 On Thu, 15 Sep 2005 13:24:44 +0000, Duane Arnold wrote: > JC <jhoppyc(a)westnet.com.invalid> wrote in > news:stqii11n4e9is5g5o5q0r1dgcrlje1or4c(a)4ax.com: > >> Hi, >> >> I have noticed over the past few weeks a slow build up of reports of >> ICMP packets being blocked by my firewall. The firewall reports >> follow the pattern below:- >> >> ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, >> 1, LAN - >> >> The firewall drops them as 'Destination Unreachable' since port 1 >> doesn't exist on the firewall. > > That just means that the packet filter/personal FW is dropping the > unsolicited inbound packets and is sending back the proper response to the > requester of 'Destination Unreachable'. There is a port 1 TCP/UDP but since > the traffic is unsolicited, the packets are being dropped by the packet > filter/personal FW. The OP said ICMP packets, so your explanation doesn't really hold. ICMP type 1 is unassigned, type 3 is Destination Unreachable. Depending on the firewall type, ICMP logging can be misleading. There are no ports for ICMP - just types, and the log shows these as "ports". Check your documentation to see what the log means. If the packets are type 3 you don't really want to block them, as that would mean your clients won't find out about non-existent destinations. At the very least you could filter as per the code field, letting only a sub-set through. Type 1 is unassigned and completely safe to block and ignore. -- Mailman ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
From: Duane Arnold on 15 Sep 2005 11:53 Mailman <mailman(a)anonymous.org> wrote in news:1126798462_1289(a)spool6-east.superfeed.net: > On Thu, 15 Sep 2005 13:24:44 +0000, Duane Arnold wrote: > >> JC <jhoppyc(a)westnet.com.invalid> wrote in >> news:stqii11n4e9is5g5o5q0r1dgcrlje1or4c(a)4ax.com: >> >>> Hi, >>> >>> I have noticed over the past few weeks a slow build up of reports of >>> ICMP packets being blocked by my firewall. The firewall reports >>> follow the pattern below:- >>> >>> ICMP packet dropped - Source:a.b.c.d, 3, WAN - >>> Destination:w.x.y.z, 1, LAN - >>> >>> The firewall drops them as 'Destination Unreachable' since port 1 >>> doesn't exist on the firewall. >> >> That just means that the packet filter/personal FW is dropping the >> unsolicited inbound packets and is sending back the proper response >> to the requester of 'Destination Unreachable'. There is a port 1 >> TCP/UDP but since the traffic is unsolicited, the packets are being >> dropped by the packet filter/personal FW. > > The OP said ICMP packets, so your explanation doesn't really hold. > ICMP type 1 is unassigned, type 3 is Destination Unreachable. So what if it's ICMP? The packets are being dropped and the *Destination is Unreachable*. Duane :)
From: Volker Birk on 15 Sep 2005 13:16 JC <jhoppyc(a)westnet.com.invalid> wrote: > packets being blocked by my firewall. The firewall reports follow the pattern > below:- > ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, 1, LAN - > The firewall drops them as 'Destination Unreachable' since port 1 doesn't exist > on the firewall. ICMP has no port concept whatsoever. > I know that they aren't pings but I am puzzled as to what > they are. My concern is that they may be legit traffic that is being blocked. > Are others seeing these packets also? Can anyone tell me what these packets > are? Please read RFC 792, http://www.rfc-editor.org Yours, VB. -- "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in deutschen Schlafzimmern passiert". Harald Schmidt zum "Weltjugendtag"
|
Next
|
Last
Pages: 1 2 3 4 Prev: router contains a built-in switch versus router without a built-in switch Next: zone alarm and OE |