From owner-freebsd-questions@FreeBSD.ORG Mon Sep 15 03:17:13 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C012D16A4BF for ; Mon, 15 Sep 2003 03:17:13 -0700 (PDT) Received: from smtp5.hy.skanova.net (smtp5.hy.skanova.net [195.67.199.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2669843FBF for ; Mon, 15 Sep 2003 03:17:12 -0700 (PDT) (envelope-from webmaster@swedehost.com) Received: from thor.swedehost.com (h129n2fls33o804.telia.com [217.209.211.129]) by smtp5.hy.skanova.net (8.12.9/8.12.9) with ESMTP id h8FAGxgw028513; Mon, 15 Sep 2003 12:16:59 +0200 (CEST) From: Hasse Hansson Organization: The Valhalla Project To: Roman Neuhauser Date: Mon, 15 Sep 2003 12:17:01 +0200 User-Agent: KMail/1.5.3 References: <200309120537.17416.webmaster@swedehost.com> <20030913012430.GE1498@freepuppy.bellavista.cz> In-Reply-To: <20030913012430.GE1498@freepuppy.bellavista.cz> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200309151217.02016.webmaster@swedehost.com> cc: FreeBSD Questions Subject: Re: Need help to interp kernel log message. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 10:17:13 -0000 On Saturday 13 September 2003 03.24, Roman Neuhauser wrote: > # webmaster@swedehost.com / 2003-09-12 05:37:17 +0200: > > I 've got a message in my logfiles that I don't understand. > > The ip-addresses are none that I'm to my knowing are associated > > with. Wonder what it is or if it's anything to worry about. > > > > odin.swedehost.com kernel log messages: > > > icmp redirect from 65.104.98.146: 204.152.184.189 => > > > 65.104.98.145 > > > > Checking up on the above Ip-addresses don't ring any bells ider. > > Looks like your machine was sending traffic to 204.152.184.189, > and an intermediate host at 65.104.98.146 sent an ICMP redirect > message telling it to send them to 65.104.98.145 instead. See RFC > 792. > > As for security concerns: any packet might have the source > address spoofed, and obeying ICMP type 5 messages in a hostile > environment (like the internet) means you're giving your network > traffic out for public consumption. Thx for your answer. In my rc.conf file, I do have icmp_drop_redirect="YES" icmp_log_redirect="YES" but I guess that's not enough. Probably have to block in my firewall. After reading your reply, I've done some more digging, and this is what I've found. 5 Redirect [RFC792] Codes 0 Redirect Datagram for the Network (or subnet) 1 Redirect Datagram for the Host 2 Redirect Datagram for the Type of Service and Network 3 Redirect Datagram for the Type of Service and Host /Geir.