weird message in logs

weird message in logs

[Peter Marshall]

Below is a message I get in my messages file.  Basically, there is a company
going to lease space from us.  I know it would have been easier to just
stick another card in my firewall and give them a subnet, however, that is
not possible for our setup (long story).  Anyway, I bult another firewall
for them.  This firewall sits within our internal network (physically) and
has 2 network cards.  The firewalls internal network card is for their
netowrk; 192.168.90.0/24,  The external card has a network of its own
10.90.0.2.  My internal firewall has a sub interface eth0:1 with the number
10.90.0.1  (eth0 is 192.168.200.1 and is the gateway to my companys internal
network).

What I am doing at the moment is ssh'ing to the newly created firewall
called rubidium on port 15422.  I get the following in my messages file.
Does anyone know how to correct this problem.  It does not prevent me from
sshing, however, I would prefer to not have errors in my log files.

Oct 19 14:46:05 rubidium kernel: REJECT: INPUT IN=eth1 OUT=
MAC=00:50:04:9b:7a:ee:00:50:04:68:df:06:08:00 SRC=10.90.0.1 DST=10.90.0.2
LEN=484 TOS=0x10 PREC=0xC0 TTL=64 ID=58050 PROTO=ICMP TYPE=5 CODE=1
GATEWAY=192.168.202.73 [SRC=10.90.0.2 DST=192.168.202.73 LEN=456 TOS=0x10
PREC=0x00 TTL=64 ID=7787 DF PROTO=TCP SPT=15422 DPT=2510 WINDOW=8576
RES=0x00 ACK PSH URGP=0 ]

Thanks,
Peter Marshall

Re: weird message in logs

[Aleksandar Milivojevic]

Peter Marshall wrote:
> Below is a message I get in my messages file.  Basically, there is a company
> going to lease space from us.  I know it would have been easier to just
> stick another card in my firewall and give them a subnet, however, that is
> not possible for our setup (long story).  Anyway, I bult another firewall
> for them.  This firewall sits within our internal network (physically) and
> has 2 network cards.  The firewalls internal network card is for their
> netowrk; 192.168.90.0/24,  The external card has a network of its own
> 10.90.0.2.  My internal firewall has a sub interface eth0:1 with the number
> 10.90.0.1  (eth0 is 192.168.200.1 and is the gateway to my companys internal
> network).
> 
> What I am doing at the moment is ssh'ing to the newly created firewall
> called rubidium on port 15422.  I get the following in my messages file.
> Does anyone know how to correct this problem.  It does not prevent me from
> sshing, however, I would prefer to not have errors in my log files.
> 
> Oct 19 14:46:05 rubidium kernel: REJECT: INPUT IN=eth1 OUT=
> MAC=00:50:04:9b:7a:ee:00:50:04:68:df:06:08:00 SRC=10.90.0.1 DST=10.90.0.2
> LEN=484 TOS=0x10 PREC=0xC0 TTL=64 ID=58050 PROTO=ICMP TYPE=5 CODE=1
> GATEWAY=192.168.202.73 [SRC=10.90.0.2 DST=192.168.202.73 LEN=456 TOS=0x10
> PREC=0x00 TTL=64 ID=7787 DF PROTO=TCP SPT=15422 DPT=2510 WINDOW=8576
> RES=0x00 ACK PSH URGP=0 ]

What happened is that your internal firewall got packet from rubidium 
for a host on your local network.  It found out that it needs to route 
it back to the interface it came from (eth0), so it generated ICMP host 
redirect packet (PROTO=ICMP TYPE=5 CODE=1) telling rubidium to talk to 
192.168.202.73 directly (GATEWAY=192.168.202.73).  The thing in square 
brackets is copy of the packet that caused this ICMP redirect (it is 
part of it).

If putting 10.90.0.1 onto separate physical interface is not an option, 
than the only thing you could do is disabling generation of ICMP 
redirects on your internal firewall.

To disable them on the running host, do:

for a in /proc/sys/net/ipv4/conf/*/send_redirects
do
    echo 0 > $a
done

To have them disabled on next reboot, place this into /etc/sysctl.conf:

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

Of course, instead of disabling them on all interfaces, you can disable 
them per interface too.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: weird message in logs

[Jason Opperisano]

On Tue, Oct 19, 2004 at 01:52:28PM -0300, Peter Marshall wrote:
> Below is a message I get in my messages file.  Basically, there is a company
> going to lease space from us.  I know it would have been easier to just
> stick another card in my firewall and give them a subnet, however, that is
> not possible for our setup (long story).  Anyway, I bult another firewall
> for them.  This firewall sits within our internal network (physically) and
> has 2 network cards.  The firewalls internal network card is for their
> netowrk; 192.168.90.0/24,  The external card has a network of its own
> 10.90.0.2.  My internal firewall has a sub interface eth0:1 with the number
> 10.90.0.1  (eth0 is 192.168.200.1 and is the gateway to my companys internal
> network).
> 
> What I am doing at the moment is ssh'ing to the newly created firewall
> called rubidium on port 15422.  I get the following in my messages file.
> Does anyone know how to correct this problem.  It does not prevent me from
> sshing, however, I would prefer to not have errors in my log files.
> 
> Oct 19 14:46:05 rubidium kernel: REJECT: INPUT IN=eth1 OUT=
> MAC=00:50:04:9b:7a:ee:00:50:04:68:df:06:08:00 SRC=10.90.0.1 DST=10.90.0.2
> LEN=484 TOS=0x10 PREC=0xC0 TTL=64 ID=58050 PROTO=ICMP TYPE=5 CODE=1
> GATEWAY=192.168.202.73 [SRC=10.90.0.2 DST=192.168.202.73 LEN=456 TOS=0x10
> PREC=0x00 TTL=64 ID=7787 DF PROTO=TCP SPT=15422 DPT=2510 WINDOW=8576
> RES=0x00 ACK PSH URGP=0 ]

machine 10.90.0.1 is sending an ICMP Redirect message to 10.90.0.2 saying
that the next hop for 192.168.202.73 is 192.168.202.73...

if you don't want to see these logs:

(a) disable the sending of ICMP Redirects on 10.90.0.1:  
      sysctl -w net.ipv4.conf.eth0.send_redirects=0
(b) drop, but don't log "-p icmp --icmp-type 5/1" on 10.90.0.2
(c) accept, and don't log "-p icmp --icmp-type 5/1" on 10.90.0.2

if it were me--i'd opt for "a"

-j

-- 
Jason Opperisano <opie@817west.com>

Re: weird message in logs

[Peter Marshall]

Is it a problem that it is dropping these ?  I tried option a .. it did not
seem to change anything.

|192.168.202.73| ---> |eth0 on internal firewall 192.168.200.1| ---> |eth0:1
on internal firewal 10.90.0.1| ----> |eth1 on other firewall
10.90.0.2| ----> | eth0 on other firewall 192.168.90.1| --- >
|192.168.90.10|

Basically, I was sshing to eth1 on the other firewall form 192.168.202.73
... I assume the redirect comes from the reply ?  technically, eth1 is on
the same physical network as 192.168.200.0/21 ... so is that why it is doing
the redirect ?  Is not logging these messages solving the problem ?  Or is
there a prolem at all ?  Thank you very much for your reply.

Peter

----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Tuesday, October 19, 2004 3:44 PM
Subject: Re: weird message in logs


On Tue, Oct 19, 2004 at 01:52:28PM -0300, Peter Marshall wrote:
> Below is a message I get in my messages file.  Basically, there is a
company
> going to lease space from us.  I know it would have been easier to just
> stick another card in my firewall and give them a subnet, however, that is
> not possible for our setup (long story).  Anyway, I bult another firewall
> for them.  This firewall sits within our internal network (physically) and
> has 2 network cards.  The firewalls internal network card is for their
> netowrk; 192.168.90.0/24,  The external card has a network of its own
> 10.90.0.2.  My internal firewall has a sub interface eth0:1 with the
number
> 10.90.0.1  (eth0 is 192.168.200.1 and is the gateway to my companys
internal
> network).
>
> What I am doing at the moment is ssh'ing to the newly created firewall
> called rubidium on port 15422.  I get the following in my messages file.
> Does anyone know how to correct this problem.  It does not prevent me from
> sshing, however, I would prefer to not have errors in my log files.
>
> Oct 19 14:46:05 rubidium kernel: REJECT: INPUT IN=eth1 OUT=
> MAC=00:50:04:9b:7a:ee:00:50:04:68:df:06:08:00 SRC=10.90.0.1 DST=10.90.0.2
> LEN=484 TOS=0x10 PREC=0xC0 TTL=64 ID=58050 PROTO=ICMP TYPE=5 CODE=1
> GATEWAY=192.168.202.73 [SRC=10.90.0.2 DST=192.168.202.73 LEN=456 TOS=0x10
> PREC=0x00 TTL=64 ID=7787 DF PROTO=TCP SPT=15422 DPT=2510 WINDOW=8576
> RES=0x00 ACK PSH URGP=0 ]

machine 10.90.0.1 is sending an ICMP Redirect message to 10.90.0.2 saying
that the next hop for 192.168.202.73 is 192.168.202.73...

if you don't want to see these logs:

(a) disable the sending of ICMP Redirects on 10.90.0.1:
      sysctl -w net.ipv4.conf.eth0.send_redirects=0
(b) drop, but don't log "-p icmp --icmp-type 5/1" on 10.90.0.2
(c) accept, and don't log "-p icmp --icmp-type 5/1" on 10.90.0.2

if it were me--i'd opt for "a"

-j

-- 
Jason Opperisano <opie@817west.com>

Re: weird message in logs

[Aleksandar Milivojevic]

Peter Marshall wrote:
> Is it a problem that it is dropping these ?  I tried option a .. it did not
> seem to change anything.

It won't be a problem if you are dropping them.  It's just that your 
firewall will generate extra packets (those redirects).  The remote host 
can opt to ignore them (as well as there's option to disable sending 
redirects, there's option to disable accepting them).

Anyhow, if eth0 and eth1 are on the same wire, you are probably seeing 
some martians in your internal firewall logs anyhow.  So you should be 
used to having extra stuff in logs anyhow ;-)

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: weird message in logs

[Jason Opperisano]

On Tue, Oct 19, 2004 at 04:53:37PM -0300, Peter Marshall wrote:
> Is it a problem that it is dropping these ?  I tried option a .. it did not
> seem to change anything.

i may have specified the wrong place the execute the command.  it looks
like you need to disable sending redirects on eth0 of the internal
firewall, but i may be misreading your diagram.

> |192.168.202.73| ---> |eth0 on internal firewall 192.168.200.1| ---> |eth0:1
> on internal firewal 10.90.0.1| ----> |eth1 on other firewall
> 10.90.0.2| ----> | eth0 on other firewall 192.168.90.1| --- >
> |192.168.90.10|
> 
> Basically, I was sshing to eth1 on the other firewall form 192.168.202.73
> ... I assume the redirect comes from the reply ?  technically, eth1 is on
> the same physical network as 192.168.200.0/21 ... so is that why it is doing
> the redirect ?

yes.

>  Is not logging these messages solving the problem ?  Or is
> there a prolem at all ?  Thank you very much for your reply.

the redirects are a symptom of your network topology--there's nothing
technically wrong with sending them, just as there is nothing
technically wrong with ignoring them.  if they bother you--use sysctl to
disable them from being sent on the machine that is sending them (or
disable them on all interfaces on both firewalls, if that's easier).

-j

-- 
Jason Opperisano <opie@817west.com>

[FAQ] Re: weird message in logs

[Cedric Blancher]

Le mar 19/10/2004 à 18:52, Peter Marshall a écrit :
> Oct 19 14:46:05 rubidium kernel: REJECT: INPUT IN=eth1 OUT=
> MAC=00:50:04:9b:7a:ee:00:50:04:68:df:06:08:00 SRC=10.90.0.1 DST=10.90.0.2
> LEN=484 TOS=0x10 PREC=0xC0 TTL=64 ID=58050 PROTO=ICMP TYPE=5 CODE=1
> GATEWAY=192.168.202.73 [SRC=10.90.0.2 DST=192.168.202.73 LEN=456 TOS=0x10
> PREC=0x00 TTL=64 ID=7787 DF PROTO=TCP SPT=15422 DPT=2510 WINDOW=8576
> RES=0x00 ACK PSH URGP=0 ]

For those who do not fully understand Netfilter logging, you can find a
very good (I learnt a lot from this site) Netfilter log format (and
ipchains as well) ressource at this URL :

	http://logi.cc/linux/netfilter-log-format.php3

And most of all, they have a web based log to human translator :

	http://logi.cc/linux/NetfilterLogAnalyzer.php3

Just copy/paste up to 10 log lines and you get a comprehensive
translation. In this cas, we have :

Filter = INPUT, in=eth1
Name of Chain = not available
Rule Number = not available

Protocol Number = 1 = ICMP = Internet Control Message [RFC792]
IP Source Addr = 10.90.0.1
IP Dest. Addr = 10.90.0.2

ICMP Type = 5 = Redirect Datagram [RFC792]
ICMP Code = 1 = for the Host

IP Packet Len = 484 bytes
IP Header Len = 5
words = 20 bytes (Exact length not available, why?)
IP Payload Len = 464 bytes, including the ICMP header (4 bytes)
IP TOS/DS = 1101000.=TOS:Precedence=Internetwork_Control(usually
            ignored), Type=Min_Delay
	  = 110100..=DS:Codepoint=110100, Pool=1 (Standards
            Action)[RFC2474]
IP Time To Live = 64 (hops remaining)
IP ID = 58050 (Unique to each IP datagram)
IP Flags = 000.............

Ethernet Src  = 00:50:04:68:df:06 
Dst  = 00:50:04:9b:7a:ee (eth1)
Type = 08:00 (IPv4 packet)


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint:
FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: weird message in logs

[Peter Marshall]

Thanks very much for the detailed reply.  It was very clear.  My question
now is  .. don't I want it to redirect ?  I assume letting icmp type 5
through would allow this ?  Is that a problem ?


----- Original Message ----- 
From: "Aleksandar Milivojevic" <amilivojevic@pbl.ca>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Tuesday, October 19, 2004 3:38 PM
Subject: Re: weird message in logs


Peter Marshall wrote:
> Below is a message I get in my messages file.  Basically, there is a
company
> going to lease space from us.  I know it would have been easier to just
> stick another card in my firewall and give them a subnet, however, that is
> not possible for our setup (long story).  Anyway, I bult another firewall
> for them.  This firewall sits within our internal network (physically) and
> has 2 network cards.  The firewalls internal network card is for their
> netowrk; 192.168.90.0/24,  The external card has a network of its own
> 10.90.0.2.  My internal firewall has a sub interface eth0:1 with the
number
> 10.90.0.1  (eth0 is 192.168.200.1 and is the gateway to my companys
internal
> network).
>
> What I am doing at the moment is ssh'ing to the newly created firewall
> called rubidium on port 15422.  I get the following in my messages file.
> Does anyone know how to correct this problem.  It does not prevent me from
> sshing, however, I would prefer to not have errors in my log files.
>
> Oct 19 14:46:05 rubidium kernel: REJECT: INPUT IN=eth1 OUT=
> MAC=00:50:04:9b:7a:ee:00:50:04:68:df:06:08:00 SRC=10.90.0.1 DST=10.90.0.2
> LEN=484 TOS=0x10 PREC=0xC0 TTL=64 ID=58050 PROTO=ICMP TYPE=5 CODE=1
> GATEWAY=192.168.202.73 [SRC=10.90.0.2 DST=192.168.202.73 LEN=456 TOS=0x10
> PREC=0x00 TTL=64 ID=7787 DF PROTO=TCP SPT=15422 DPT=2510 WINDOW=8576
> RES=0x00 ACK PSH URGP=0 ]

What happened is that your internal firewall got packet from rubidium
for a host on your local network.  It found out that it needs to route
it back to the interface it came from (eth0), so it generated ICMP host
redirect packet (PROTO=ICMP TYPE=5 CODE=1) telling rubidium to talk to
192.168.202.73 directly (GATEWAY=192.168.202.73).  The thing in square
brackets is copy of the packet that caused this ICMP redirect (it is
part of it).

If putting 10.90.0.1 onto separate physical interface is not an option,
than the only thing you could do is disabling generation of ICMP
redirects on your internal firewall.

To disable them on the running host, do:

for a in /proc/sys/net/ipv4/conf/*/send_redirects
do
    echo 0 > $a
done

To have them disabled on next reboot, place this into /etc/sysctl.conf:

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

Of course, instead of disabling them on all interfaces, you can disable
them per interface too.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7