LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-08-2001, 05:05 PM   #1
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Rep: Reputation: 15
Question Hmmm


Any ideas what this line I pulled from tcpdump output means?

15:14:04.377453 eth0 < 111.111.111.111 > ME.ME.ME.ME: icmp: host 222.222.222.222 unreachable - admin prohibited filter

The ip addresses have been changed for obvious reasons, but I used 111.111.111.111 and 222.222.222.222 to indicate that these were actually two different IP's and not the same. Let me know what you think, thanks.

Mike.
 
Old 08-09-2001, 05:23 AM   #2
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Is it a VPN link ?
Is the 222.222.222.222 ip the same as the destination address that the 111.111.111.111 ip client tried to contact, or is it a router/firewall in the path ?

Basically TCP dump is showing you an error code 13 "not ICMP type 13" It's error code 13 ICMP type 11.
"Communication Administratively Prohibited" - generated if a router cannot forward a packet due to administrative filtering.

I assume a firewall is not responding or a protocol used in the connection is not getting through, due to non support or blocking by a filter of some sort, on that 222.222.222.222 system.

for example: ipsec uses UDP as part of its ISAKMPD key exchange and the firewall might be rejecting it with a timeout.

Anyway without more information on what's asking the request to where it's just speculation.

/Raz
 
Old 08-09-2001, 11:33 AM   #3
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Original Poster
Rep: Reputation: 15
222.222.222.222 is completely different thant 111.111.111.111. They aren't even a part of the same block, and they don't look up as the same corp oration or anything. That is why it is strange to me, cause the request comes into my box from 222.222.222.222, and then it looks like it is trying to leave my box to 111.111.111.111, each IP is unique in this case.

Mike.
 
Old 08-10-2001, 05:02 AM   #4
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
It looks like a filter problem as in a firewall or other packet filtering software problem.
From the TCPdump output it's the one sending a ICMP error codes back to your 111.111.111.111 box, your box replies to these errors.
But with only one line of output from tcpdump it's not easy to tell.

If you come into a forum in the first place asking advise, you have to be prepared to give us the information we need to help you diagnose it.
It's like a mechanic trying to fix someone's car over the phone "which is already difficult", where the owner tells you it's making a funny pinging noise, but they don't tell you what's making the noise, what area of the car the noise comes from or what model car it is.

Your not going to get an answer that's going to help you very much are you.
/Raz
 
Old 08-10-2001, 11:43 AM   #5
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Original Poster
Rep: Reputation: 15
It isn't a VPN, this is a dedicated hosted box, I manage it remotely. It runs as a web server, Apache, and that is it. The only other access to this box, is me through SSH or FTP, and some email accounts. I am just curious what causes this kind of information in my logs. I am more looking for an explination, or breakdown of this message, like the direction of the message, who it came from etc..., and why it looks like it comes from one IP, through me, to a different IP. I would like to learn more about understanding how the logs, and tcpdump output works

My hosts network has a firewall, so it is possible it isn't letting this info out, but the ip's in this message don't resolve to my hosts corp. nor do they match their general IP blocks.

Sorry if I made this more difficult than it had to be.

Thanks alot!
Mike.
 
Old 08-13-2001, 05:33 AM   #6
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Ok I've figured it out now.

It's the response from the system that your sniffing with tcpdump, to the 222.222.222.222 system.

Basically the 222.222.222.222 system requested something like an Echo reply or time exceed ICMP type to the 111.111.111.111 address.
Your system is configured to reject them and responded, telling it that the request it asked for is not allowed. "that's the message your seeing"

So on your firewall make sure that all ICMP blockers Deny the packets not reject them.
Sorry don't know where you can find info on TCPdump.

/Raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hmmm...just a few questions :) RoaCh Of DisCor Linux - Software 4 12-24-2004 04:36 PM
hmmm installing software rejeK Suse/Novell 2 12-19-2004 11:16 AM
fedora and xp HMMM? oldschoolgamerz Fedora 1 11-02-2004 02:56 AM
Hmmm, where did i go wrong ? Reefcrazed Fedora 2 09-04-2004 12:38 PM
hmmm... opera problem isajera Linux - General 5 08-01-2001 04:09 PM


All times are GMT -5. The time now is 12:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration