On Fri, 10 May 2002, Scott Merrill wrote:
> I just found this in my firewall log:
>
> May 10 08:58:00 fire2 kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1
> SRC=10.10.10.1 DST=192.168.0.3 LEN=66 TOS=0x00 PREC=0xC0 TTL=254 ID=37790
> PROTO=ICMP TYPE=11 CODE=0 [SRC=X.X.X.X DST=65.108.14.222 LEN=38 TOS=0x00
> PREC=0x00 TTL=1 ID=62741 PROTO=UDP INCOMPLETE [6 bytes] ]
>
> (bracketed source IP removed for anonymity - it is the public IP address of
my
> firewall)
>
> This is a new one for me. If I read this correctly, source IP 10.10.10.1
> sent a packet that hit my firewall''s eth0 (internal NIC, IP
address of
> 192.168.0.100) destined for 192.168.0.3 via eth1 (external NIC, public IP
> address).
>
> But what''s that bit in the brackets?
>
> Is this an attempt to leverage the netfilter vulnerability to enumerate my
> internal addressing scheme?
More that likely, this is a routing screwup somewhere. ICMP type 11,0 is
TTL exceeded. The stuff in brackets is the original packet that one of
your systems (192.168.0.3) sent to 65.108.14.222 (which I suspect you know
something about :-)
Unless you have packet mangling disabled, the original DST of the ICMP
packet wasn''t 192.168.0.3 but rather your firewall''s external
IP. This
packet is being dropped in the ''rfc1918'' chain which is in the
filter
table so the DST has already been rewritten. The reason that the packet is
being rejected is it''s SRC which is reserved by 10.10.10.1.
The TTL expired off in some private network and this packet was returned.
This is the second case of this that I''ve seen.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net