Archived from groups: comp.security.firewalls (
More info?)
On Thu, 15 Sep 2005 15:03:29 -0500, ibuprofin@painkiller.example.tld (Moe Trin)
wrote:
>In the Usenet newsgroup comp.security.firewalls, in article
><stqii11n4e9is5g5o5q0r1dgcrlje1or4c@4ax.com>, JC wrote:
>
>>I have noticed over the past few weeks a slow build up of reports of ICMP
>>packets being blocked by my firewall. The firewall reports follow the
>>pattern below:-
>>
>>ICMP packet dropped - Source:a.b.c.d, 3, WAN - Destination:w.x.y.z, 1, LAN -
>>
>>The firewall drops them as 'Destination Unreachable' since port 1 doesn't
>>exist on the firewall.
<snip>
>Your firewall (in common with many others) reports ICMP with the type
>number displayed as the source port, and the 'code' displayed as the
>destination port. This _should_ be explained in the documentation for
>your firewall.
I looked back through the docs and it is there - "The TCP or UDP port number or
ICMP code follows the IP address". Thanks for pointing me to it.
>>I know that they aren't pings but I am puzzled as to what they are.
>
>ICMP Type 3 code 1 - Host unreachable.
>
>>My concern is that they may be legit traffic that is being blocked.
>
>Normally, a remote router will reply with ICMP Type 3 code 1 when you
>send a packet attempting to connect to a host that does not exist, or
>exists but is turned off/disconnected/dead/wedged. In ICMP, the 'source'
>IP address is the remote (router or host), and the destination IP is
>the system that sent the original packet that caused the problem. You
>need to review your outbound traffic, and find what host is sending
>the original traffic to an unreachable host. If your system is not
>NATing, or Port Forwarding, the problem lies on the host given as
>the destination IP in the ICMP packet. If you looked inside the ICMP
>packet with a packet sniffer, you will find the header of the packet
>that caused the problem.
I have a single PC connected on the LAN side of a Sonicwall TZ170 firewall. I
am soon to add a 2nd multi-media PC to the LAN. I run NAV daily and Ad-aware
and SpyBot bi-weekly on the PC and none report any "funnies".
About 70% of these return packets arrive while my PC is turned off with only the
firewall and modem active. Does this mean that someone is spoofing my IP
address and causing the problem?
I am not how to go about sniffing the incoming ICMP packet as it is dropped by
the firewall before it gets to my PC. I am assuming that the sniffer would
need to be on the WAN side of the firewall.
Would turning ON the Windows Firewall logging help here as it would give me some
clues to any packets going out to the addresses sending back the ICMP Type 3
code 1 packets.
Thanks for your help Old guy, I appreciate it.
--
Cheers . . . JC