From: Chris Brenton <cbrenton@chrisbrenton.org>
To: Bo Jacobsen <subs@systemhouse.dk>
Cc: netfilter <netfilter@lists.netfilter.org>
Subject: Re: Question; what is this netfilter logfile entry ?
Date: Sun, 14 Nov 2004 05:51:03 -0500 [thread overview]
Message-ID: <1100429463.5934.420.camel@grendel> (raw)
In-Reply-To: <000c01c4c9f0$4807a0d0$de0aa8c0@comp>
On Sat, 2004-11-13 at 21:18, Bo Jacobsen wrote:
>
> Nov 14 02:24:48 WF1-HOME kernel: DENY-OUT:.IN= OUT=eth0 SRC=192.168.1.2 DST=198.41.0.4 LEN=560 TOS=0x00 PREC=0xC0 TTL=64 ID=3123 PROTO=ICMP TYPE=3 CODE=3 [SRC=198.41.0.4 DST=192.168.1.2 LEN=532 TOS=0x00 PREC=0x00 TTL=49 ID=41159 PROTO=UDP SPT=53 DPT=51981 LEN=512 ]
>
> It looks like ICMP with an embedded DNS call ?.
It's an ICMP port unreachable. Looks like 198.41.0.4 tried to send a
reply to one of your DNS queries, took too long to respond, and by the
time they did the port was closed. What's kind of interesting is that it
was a full size answer so I'm guessing the truncation bit was set. This
means that if this packet had been returned in time your system would
have had to switch to TCP to get a full answer.
The UDP info is embedded in the payload so the remote system knows which
port was unreachable. This is in case multiple session were running at
the same time. Perfectly normal for an ICMP error packet.
> What is it exactly, and how would a rule to allow this look like ?
This would be permitted if you are letting "RELATED" traffic through.
This ensures that only legit ICMP errors are passed. While you could
define an accept rule for the ICMP type code, this would let all
matching traffic through opening up the possibilities of a covert
communication channel.
HTH,
Chris
next prev parent reply other threads:[~2004-11-14 10:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-14 0:42 newbie question - what is the iptables equivalent of a Linksys "DMZ" ? David Williamson
2004-11-14 0:57 ` Chris Brenton
2004-11-14 2:18 ` Question; what is this netfilter logfile entry ? Bo Jacobsen
2004-11-14 7:42 ` Marc Haber
2004-11-14 10:51 ` Chris Brenton [this message]
2004-11-14 21:41 ` Bo Jacobsen
2004-11-14 17:02 ` Jason Opperisano
2004-11-14 13:35 ` newbie question - what is the iptables equivalent of a Linksys "DMZ" ? Tobias DiPasquale
2004-11-14 16:44 ` Jason Opperisano
2004-11-14 21:05 ` David Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1100429463.5934.420.camel@grendel \
--to=cbrenton@chrisbrenton.org \
--cc=netfilter@lists.netfilter.org \
--cc=subs@systemhouse.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox