2

I'm dropping all ICMP type 8 packets on the INPUT chain and so now I'm seeing log entries as a Fabric script tries to contact another server, like this:

kernel: INPUT DROP IN=eth0 OUT= SRC=<ip1> DST=<ip2> LEN=88 TOS=0x00 PREC=0xC0 TTL=50 ID=60964 PROTO=ICMP TYPE=3 CODE=3 [SRC=<ip2> DST=<ip1> LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=45897 DF PROTO=TCP SPT=34120 DPT=22022 WINDOW=14600 RES=0x00 SYN URGP=0 ]

However they're different to the tcp/udp log entries I'm used to, specifically the section in square braces. What do it's different parts relate to?

ghickman
  • 125
  • 8

1 Answers1

6

That's a destination unreachable (type 3) port unreachable (code 3) message. As such, it encapsulates some data about the original connection that generated the message, which is what you see in the angle brackets. So IP1 tried to connect to ip2, via TCP, from source port 34120, to destination port 22022, etc. That generated an ICMP destination unreachable message, which you then dropped.

I would, as a side note, think very carefully about blocking all ICMP traffic. It's usually not a good idea.

malcolmpdx
  • 2,300
  • 1
  • 16
  • 12
  • Sorry I should have clarified that I'm blocking type 8 specifically, I'll update the question. I'm now allowing type 3 and the fabric script is working. Thanks for the explanation! – ghickman Apr 05 '11 at 15:53
  • @ghickman IMO at the very least, you should allow types 3, 11, and 12. – pepoluan Apr 06 '11 at 00:26
  • @pepoluan Could you clarify your reasoning for types 11 and 12? Would you suggest any other types on top of those three and why? – ghickman Apr 06 '11 at 09:03
  • @ghickman Type 11 (Time Exceeded) helps cut down TCP timeout if the packets happen to enter a routing loop. If it's filtered out, the sending side will just assume packet is dropped, and attempt retransmission... again and again until TCP times out (which might take a looooong time). Type 12 (Parameter Problem) might help if, e.g., some clients can connect, but some others can't, due to some incompatible protocol settings. – pepoluan Apr 06 '11 at 12:46
  • @ghickman you might also allow Type 30 (Traceroute - RFC1393) if you provide a publicly-accessible server. Although I am not aware of any network-tool using it :-/ – pepoluan Apr 06 '11 at 12:48