Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Wierd ICMP in logs

from [GSimmonds] Network Security [Permanent Link]
Subject: Re: Wierd ICMP in logs
Date: Tue, 14 Sep 2004 02:23:32 -0400 
I'm not familiar with your fw, so I can only assume its referring to 
Destination Unreachable (ICMP Type 3). They're sent in response
to a connection request that, for whatever reason, cannot be delivered. 
Possibly the server or service is not available.

The most likely cause is one of your internal users clicked on a dead link
in a web page, causing the unreachable message to be sent back.
It's ok to allow them inbound.

I found these links helpful for sorting out ICMP:
http://www.networkmagazine.com/article/NMG20000829S0003
http://www.sys-security.com/html/projects/icmp.html


Regards,
Gary

----- Original Message ----- 
From: "Mark" <bugtraq@mwebapps.com>
To: <firewalls@securityfocus.com>
Sent: Sunday, September 12, 2004 2:51 PM
Subject: Wierd ICMP in logs


I am running openBSD with PF for my firewall.

I found these wierd entries in my log file:
Sep 12 10:37:59.896280 rule 1/0(match): block in on xl0: 24.21.214.129 >
68.*.*.*: icmp: host 192.168.1.100 unreachable [tos 0xc0]
Sep 12 10:37:59.905766 rule 1/0(match): block in on xl0: 24.21.214.129 >
68.*.*.*: icmp: host 192.168.1.100 unreachable [tos 0xc0]
Sep 12 10:38:06.194229 rule 1/0(match): block in on xl0: 24.21.214.129 >
68.*.*.*: icmp: host 192.168.1.100 unreachable [tos 0xc0]

My question is why is it saying host 192.168.1.100 unreachable? Thats an
internal IP on my network, how can this 24.21.214.129 IP be pinging IP's on
my internal network? Is there something i can do to block this? I am
currently blocking all external icmp traffic.

PS: I have * out my ip address.

Thanks
---------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: PIX Setup with PAT, Kidder, Roy
Next by Date:  RE: PIX Setup with PAT, Andrew Shore
Previous by Thread:  Wierd ICMP in logs, Mark
Next by Thread:  ICMP timestamps (Re: Wierd ICMP in logs), Martin Mačok
Indexes:  [Date] [Thread] [Top] [All Lists]