Re: SmoothWall logs


Subject: Re: SmoothWall logs
From: Mike Tibor (tibor@lib.uaa.alaska.edu)
Date: Thu Oct 17 2002 - 15:36:20 AKDT


On Wed, 16 Oct 2002, i_robot wrote:

> This showed up on my SmoothWall box this evening.
>
> IMCP administratively refused
> Priority 3 (The highest)
> 64.4.55.135
>
> I did an nmap scan, nmap -P0 64.4.55.135, and got this
> Interesting ports on mc2.law5.hotmail.com
> Port state service
> 179/tcp closed bgp
>
> I found this odd for 2 reasons, the first being I've never seen
> anything like this before, and second, it's from a hotmail server ( I
> assume ). I don't use hotmail, never have....any ideas what this is
> about?

I'm guessing that the hotmail box probably just pinged you for some
reason, although it may have also been trying to tell your computer
something. I'm assuming that "IMCP" up there should really be "ICMP".
Servers will do this for various reasons, mostly having to do with gauging
latency and other issues. I've seen this taken to the extreme
though--once a server at Electronic Arts pinged my home firewall several
hundred times, and I'd not been to their website, nor had I received any
email from them, or anything else that might make them want to gauge
network performance to my box. I can't see anything useful they could
have gained from what they did, so I just firewalled off the offending IP.

I don't know why BGP showed up in your nmap scan (even in a closed state).
That's a routing protocol. But then the IP you scanned may actually have
been an interface on a router, who knows.

If your Smoothwall box is just set to globally deny all incoming ICMP
traffic, you will definitely want a more fine-grained approach than that.
The "administratively refused" message you posted doesn't describe what
type/code the ICMP packet was, and it probably was useful traffic to
receive. For example, ICMP redirects (type 5) you can safely drop, but
others are absolutely desireable.

Mike

-- 
Mike Tibor         Univ. of Alaska Anchorage    (907) 786-1001 voice
Network Technician     Consortium Library         (907) 786-6050 fax
tibor@lib.uaa.alaska.edu       http://www.lib.uaa.alaska.edu/~tibor/
http://www.lib.uaa.alaska.edu/~tibor/pgpkey  for PGP public key

--------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.



This archive was generated by hypermail 2a23 : Thu Oct 17 2002 - 15:36:24 AKDT