My Cisco teacher at school runs a firewall and he told me he gets scanned tons of times. I just never saw these things echoed to my display before, so it scared me. - Kath ----- Original Message ----- From: "Angela Nash" <[EMAIL PROTECTED]> To: "'psyche'" <[EMAIL PROTECTED]>; "Kath" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Saturday, March 24, 2001 7:31 PM Subject: RE: [techtalk] Re: Odd firewall outputs (cont) > If your connection is on cable or DSL, expect to get port scanned every few > minutes. You'll fill up your firewall logs very fast. > > Jason > > -----Original Message----- > From: psyche [mailto:[EMAIL PROTECTED]] > Sent: Saturday, March 24, 2001 7:26 PM > To: Kath > Cc: [EMAIL PROTECTED] > Subject: Re: [techtalk] Re: Odd firewall outputs (cont) > > > > > On Sat, 24 Mar 2001, Kath wrote: > > > Is that (the IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202!) > > anything to worry about? > > > > - Kath > > ----- Original Message ----- > > From: Kath > > To: [EMAIL PROTECTED] > > Sent: Saturday, March 24, 2001 12:58 PM > > Subject: Odd firewall outputs > > > > > > I have a Debian 2.2 firewall doing ipmasquerade running the kernel that > > came with it (2.2.18 IIRC). > > > > This machine also serves as a web, email and DNS server. > > > > I woke up this morning and saw the following on the monitor: > > > > IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202 > > IP_MASQ:reverse ICMP: failed checksum from 24.112.23.202 > > > > I was curious about this since I use IP masquerading, too, so I looked up > some info on it. From what I was able to find out, it appears someone is > pointing a port scanner at your network--and most likely a script kiddie > type, because a more experienced cracker would fix the checksum, so the > error wouldn't be produced. At least that's what one person said. > > If you had a friend scan your network, I'd double check and ask them about > it, even if the IP looks weird, to make sure it wasn't them. (P.S.--my IP > will show up in the logs, too--since I just sent you a finger request to > see if you were running finger). > > In the meantime, I would check out /var/log/messages for other evidence of > a scan, and plug up any security holes you have. From doing an nslookup on > the IP, it looks like someone possibly on a cable modem or DSL, I > think. It could be just some curious person being fast and loose with > their port scanner, and just poking around, rather than a serious > plan to attack, too. I know I sure get paranoid every time I see > something odd like that--and it's usually nothing to worry too bad about > after all. > > psyche > > P.S.--a personal 'thank you' to you for posting the error--it inspired me > to look up stuff and learn something new and useful. :) > > > _______________________________________________ > techtalk mailing list > [EMAIL PROTECTED] > http://www.linux.org.uk/mailman/listinfo/techtalk > _______________________________________________ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk