Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Sep 2003 23:41:26 +0200
From:      Hasse Hansson <webmaster@swedehost.com>
To:        Roman Neuhauser <neuhauser@bellavista.cz>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: Need help to interp kernel log message.
Message-ID:  <200309152341.26609.webmaster@swedehost.com>
In-Reply-To: <20030915120212.GC2511@freepuppy.bellavista.cz>
References:  <200309120537.17416.webmaster@swedehost.com> <200309151217.02016.webmaster@swedehost.com> <20030915120212.GC2511@freepuppy.bellavista.cz>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Monday 15 September 2003 14.02, Roman Neuhauser wrote:
> # webmaster@swedehost.com / 2003-09-15 12:17:01 +0200:
> > On Saturday 13 September 2003 03.24, Roman Neuhauser wrote:
> > > # webmaster@swedehost.com / 2003-09-12 05:37:17 +0200:
> > > > I 've got a message in my logfiles that I don't understand.
> > > > The ip-addresses are none that I'm to my knowing are associated
> > > > with. Wonder what it is or if it's anything to worry about.
> > > >
> > > > odin.swedehost.com kernel log messages:
> > > > > icmp redirect from 65.104.98.146: 204.152.184.189 =>
> > > > > 65.104.98.145
> > > >
> > > > Checking up on the above Ip-addresses don't ring any bells
> > > > ider.
> > >
> > >     Looks like your machine was sending traffic to
> > > 204.152.184.189, and an intermediate host at 65.104.98.146 sent
> > > an ICMP redirect message telling it to send them to 65.104.98.145
> > > instead. See RFC 792.
> > >
> > >     As for security concerns: any packet might have the source
> > > address spoofed, and obeying ICMP type 5 messages in a hostile
> > > environment (like the internet) means you're giving your network
> > > traffic out for public consumption.
> >
> > Thx for your answer.
> > In my rc.conf file, I do have
> > icmp_drop_redirect="YES"
> > icmp_log_redirect="YES"
> > but I guess that's not enough.
> > Probably have to block in my firewall.
>
>     what makes you think so? did the box really change the route?

Ahhh....
You mean it dropped and logged it. Just as supposed to ?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309152341.26609.webmaster>