From: Jason Opperisano <opie@817west.com>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: weird message in logs
Date: Tue, 19 Oct 2004 14:44:19 -0400 [thread overview]
Message-ID: <20041019184419.GA3363@bender.817west.com> (raw)
In-Reply-To: <116401c4b5fc$0485cc40$49caa8c0@caris.priv>
On Tue, Oct 19, 2004 at 01:52:28PM -0300, Peter Marshall wrote:
> Below is a message I get in my messages file. Basically, there is a company
> going to lease space from us. I know it would have been easier to just
> stick another card in my firewall and give them a subnet, however, that is
> not possible for our setup (long story). Anyway, I bult another firewall
> for them. This firewall sits within our internal network (physically) and
> has 2 network cards. The firewalls internal network card is for their
> netowrk; 192.168.90.0/24, The external card has a network of its own
> 10.90.0.2. My internal firewall has a sub interface eth0:1 with the number
> 10.90.0.1 (eth0 is 192.168.200.1 and is the gateway to my companys internal
> network).
>
> What I am doing at the moment is ssh'ing to the newly created firewall
> called rubidium on port 15422. I get the following in my messages file.
> Does anyone know how to correct this problem. It does not prevent me from
> sshing, however, I would prefer to not have errors in my log files.
>
> Oct 19 14:46:05 rubidium kernel: REJECT: INPUT IN=eth1 OUT=
> MAC=00:50:04:9b:7a:ee:00:50:04:68:df:06:08:00 SRC=10.90.0.1 DST=10.90.0.2
> LEN=484 TOS=0x10 PREC=0xC0 TTL=64 ID=58050 PROTO=ICMP TYPE=5 CODE=1
> GATEWAY=192.168.202.73 [SRC=10.90.0.2 DST=192.168.202.73 LEN=456 TOS=0x10
> PREC=0x00 TTL=64 ID=7787 DF PROTO=TCP SPT=15422 DPT=2510 WINDOW=8576
> RES=0x00 ACK PSH URGP=0 ]
machine 10.90.0.1 is sending an ICMP Redirect message to 10.90.0.2 saying
that the next hop for 192.168.202.73 is 192.168.202.73...
if you don't want to see these logs:
(a) disable the sending of ICMP Redirects on 10.90.0.1:
sysctl -w net.ipv4.conf.eth0.send_redirects=0
(b) drop, but don't log "-p icmp --icmp-type 5/1" on 10.90.0.2
(c) accept, and don't log "-p icmp --icmp-type 5/1" on 10.90.0.2
if it were me--i'd opt for "a"
-j
--
Jason Opperisano <opie@817west.com>
next prev parent reply other threads:[~2004-10-19 18:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-19 16:52 weird message in logs Peter Marshall
2004-10-19 18:38 ` Aleksandar Milivojevic
2004-10-20 11:30 ` Peter Marshall
2004-10-19 18:44 ` Jason Opperisano [this message]
2004-10-19 19:53 ` Peter Marshall
2004-10-19 20:03 ` Aleksandar Milivojevic
2004-10-19 20:25 ` Jason Opperisano
2004-10-19 21:16 ` [FAQ] " Cedric Blancher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041019184419.GA3363@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.