[plug] Strangeness at the firewall

bob bob at fots.org.au
Fri Jan 30 08:54:59 WST 2004 

Thanks for the reply Matt

On Thursday 29 January 2004 23:28, Matt Kemner wrote:
> On Thu, 29 Jan 2004, quoth bob:
> > Can anyone tell me why I'm logging heaps of the following at the
> > moment? (and what the second SRC DST IP's imply) (oh and 192.168.132.70
> > is not something on my lan so its a Martian). Is this a routing glitch?
> >
> > Jan 29 21:33:01 fluff kernel: ICMP Dropped IN=ppp0 OUT= MAC=
> > SRC=192.168.132.70 DST=203.59.131.96 LEN=56 TOS=0x0C PREC=0x00 TTL=248
> > ID=4097 DF PROTO=ICMP TYPE=3 CODE=0 [SRC=203.59.131.96 DST=211.26.91.96
> > LEN=134 TOS=0x00 PREC=0x00 TTL=58 ID=28991 FRAG:64 PROTO=TCP ]
>
> This is a type 3 code 0 ICMP ("network unreachable") packet, which claims
> to be in response to a TCP packet you (203.59.131.96) sent to
> 211.26.91.96 (096.pth0604.pth.iprimus.net.au) - and the origin of the
> ICMP packet is 192.168.132.70.

Hmm... AFAIK I haven't had any dealings with anyone at iprimus lately so I 
doubt that this is a valid outbound connection, iptstate certainly didn't 
show any connections

> It's possible iprimus use 192.168.* addresses for their routers, and that
> one of those routers is just letting you know that the host you were
> talking to  (dialup or PPPoE or whatever) has just dropped offline.
>
>
> It is also possible that someone is forging these ICMP packets (which is
> far too easy to do) in the attempt to break your connection to that IP,
> although in this case that seems unlikely.

Perhaps this is what's going on... but I'm at a loss to see why they're 
picking on me  :/

> However when I was working for a large ISP I regularly saw people use
> false "unreachable" to try and forcibly disconnect others from IRC/game
> servers etc.

I haven't been gaming or IRCing lately so I doubt I've annoyed anyone there. 
I am starting to think it may be a case of mistaken id.

Anyway, thanks for the explanation. Its seems to have petered out around 3am 
anyway so I'll ignore it.

FWIW I should have tried googleing first :)
http://www.iana.org/assignments/icmp-parameters
Thanks for being patient.

>  - Matt

-- 
Every time you manage to close the door on Reality, it comes in through the
window.

More information about the plug mailing list