thr3ads.net - Shorewall users - [Shorewall-users] Rejecting DNS ICMP [Nov 2002]

If this information is useful, please help other people find it:
Share via:

Al Erola

2002-Nov-19 01:26 UTC

[Shorewall-users] Rejecting DNS ICMP

--------------ms080805090605000003050702
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

I''ve installed the two-interface firewall on a standalone pc.  The four
internal pc''s are browsing, emailing, etc.  Really working well
compared
to firewall software on each machine!

While I was reviewing logs on the firewall, I noticed A LOT of the 
following messages:

 > Nov 18 17:01:59 splash174 kernel: Shorewall:all2all:REJECT:IN >
OUT=eth1 SRC=192.168.0.1 DST=192.168.0.4 LEN=88 TOS=0x08 PREC=0xC0
 > TTL=64 ID=30152 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.0.4
 > DST=216.162.192.4 LEN=60 TOS=0x08 PREC=0x00 TTL=1 ID=14909 DF
 > PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=36096 ]

216.162.192.4 is my secondary DNS server.
192.168.0.1 is my eth1 on the firewall connected to a hub.
192.168.0.4 is a Win98 machine used for chat, etc.

I''ve looked at the configuration on the .4 machine and it appears
correct.



--------------ms080805090605000003050702
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIcjCC
ApcwggIAoAMCAQICAwhiYzANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNV
BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx
HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl
bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAyMTAwMTA1MDIyMFoXDTAzMTAwMTA1MDIyMFowRzEf
MB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEkMCIGCSqGSIb3DQEJARYVd2Flcm9s
YTFAbmV0c2NhcGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJDFsEW2s4V2UF
7YHCQW7g1A7FaK/r1v+/1KNtdpMNlfS8REp17ftv2grQHE1qD3T3p27TkCnWQ5/OzJ7H8A3I
TY7Wih3UODFcByW0Kpne9wG4SzOPJQa/PoOpu4IBlGPcLOAzdDPFZYT1t8Ceb7TSb8RD0pD/
Ke5IX6B/JmklAwIDAQABo0UwQzARBglghkgBhvhCAQEEBAMCBaAwIAYDVR0RBBkwF4EVd2Fl
cm9sYTFAbmV0c2NhcGUubmV0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAXunr
yVQ4ZD/5W9PqxIexYAc2wOtD1fN4PSVKyg69lHj8MOLHk5H+RqVXwi1SHVKCBf07rkNo2AIz
zKLzGJ9LKp2XfTAJOsQW7jaHR9CawwAGIqpUHWEwLM5QWG3BaGG0kjtlt4wQHpGANGt1knsj
MmqxCrYVpuiFMMUykO01GPEwggKXMIICAKADAgECAgMIYmMwDQYJKoZIhvcNAQEEBQAwgZIx
CzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93
bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYG
A1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMjEwMDEwNTAyMjBa
Fw0wMzEwMDEwNTAyMjBaMEcxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxJDAi
BgkqhkiG9w0BCQEWFXdhZXJvbGExQG5ldHNjYXBlLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAyQxbBFtrOFdlBe2BwkFu4NQOxWiv69b/v9SjbXaTDZX0vERKde37b9oK0BxN
ag9096du05Ap1kOfzsyex/ANyE2O1ood1DgxXAcltCqZ3vcBuEszjyUGvz6DqbuCAZRj3Czg
M3QzxWWE9bfAnm+00m/EQ9KQ/ynuSF+gfyZpJQMCAwEAAaNFMEMwEQYJYIZIAYb4QgEBBAQD
AgWgMCAGA1UdEQQZMBeBFXdhZXJvbGExQG5ldHNjYXBlLm5ldDAMBgNVHRMBAf8EAjAAMA0G
CSqGSIb3DQEBBAUAA4GBAF7p68lUOGQ/+VvT6sSHsWAHNsDrQ9XzeD0lSsoOvZR4/DDix5OR
/kalV8ItUh1SggX9O65DaNgCM8yi8xifSyqdl30wCTrEFu42h0fQmsMABiKqVB1hMCzOUFht
wWhhtJI7ZbeMEB6RgDRrdZJ7IzJqsQq2FabohTDFMpDtNRjxMIIDODCCAqGgAwIBAgIQZkVy
t8x09c9jdkWE0C6RATANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29u
c3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIG
A1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJz
b25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTA0MDgyNzIzNTk1
OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh
cGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNl
czEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu
9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c
6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0R
BCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8C
AQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF151j2YwCYT
YoEipxL4IpXoG0m3J3sEObr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59sogxYjTFC
CRFssBpp0SsSskBdavl50OouJd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TYyWJirQXG
MYICpjCCAqICAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUx
EjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZp
Y2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4z
MAIDCGJjMAkGBSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
hvcNAQkFMQ8XDTAyMTExOTAxMjY0OFowIwYJKoZIhvcNAQkEMRYEFLNEOLfiupsuI9y6+fJH
sluPyb1MMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0G
CCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGB
naCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp
Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMIYmMwDQYJ
KoZIhvcNAQEBBQAEgYBJTRWxEzjq8gs3qhZloDm59pqJQ0COTR3Mfwz9NZrqauFjTtPSXmhu
1KNrDvlYY9gN451TJCMYcD2JJupjeA/hwdsAUMc/c1o4vREQPBavtrpixmLzNxQtQQUo+yaY
41XhmarWySDlxUBgU0gZSyJXHT2nbJd9jHW1M1MfihPAeQAAAAAAAA=
--------------ms080805090605000003050702--

Tom Eastep

2002-Nov-19 02:35 UTC

head link

[Shorewall-users] Rejecting DNS ICMP

--On Monday, November 18, 2002 05:26:48 PM -0800 Al Erola 
<waerola1@netscape.net> wrote:
> I''ve installed the two-interface firewall on a standalone pc.  The
four
> internal pc''s are browsing, emailing, etc.  Really working well
compared
> to firewall software on each machine!
>
> While I was reviewing logs on the firewall, I noticed A LOT of the
> following messages:
>
>  > Nov 18 17:01:59 splash174 kernel: Shorewall:all2all:REJECT:IN> 
> OUT=eth1 SRC=192.168.0.1 DST=192.168.0.4 LEN=88 TOS=0x08 PREC=0xC0
>  > TTL=64 ID=30152 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.0.4
>  > DST=216.162.192.4 LEN=60 TOS=0x08 PREC=0x00 TTL=1 ID=14909 DF
>  > PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=36096 ]
>
> 216.162.192.4 is my secondary DNS server.
> 192.168.0.1 is my eth1 on the firewall connected to a hub.
> 192.168.0.4 is a Win98 machine used for chat, etc.
>
> I''ve looked at the configuration on the .4 machine and it appears
correct.
>
192.168.0.4 is trying to ping 216.162.192.4. Your firewall wants to return 
an ICMP type 11, code 0 (TTL exceeded) to 192.168.0.4 -- given that the 
original TTL was 1, this is probably Windows'' implementation of
traceroute
which uses ICMP ping packets with a TTL (but it could also be something 
else that Windows uses ICMP type 8 for). For some reason, the connection 
tracking code on your firewall is not considering the response (the ICMP 11 
packet) to be related to the original ICMP type 8 packet so it is rejecting 
it. If you simply want to suppress these annoying messages, create 
/etc/shorewall/icmpdef and in it, place:

run_iptables -A icmpdef -p icmp --icmp-type 11 -j DROP

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net

Shorewall users - Nov 2002 - Rejecting DNS ICMP

[Shorewall-users] Rejecting DNS ICMP

[Shorewall-users] Rejecting DNS ICMP