[techtalk] Re: Odd firewall outputs (cont)

psyche psyche at gci.net
Sat Mar 24 16:26:04 EST 2001

On Sat, 24 Mar 2001, Kath wrote:

> Is that (the IP_MASQ:reverse ICMP: failed checksum from!) 
> anything to worry about?
> - Kath
>   ----- Original Message ----- 
>   From: Kath 
>   To: techtalk at linuxchix.org 
>   Sent: Saturday, March 24, 2001 12:58 PM
>   Subject: Odd firewall outputs
>   I have a Debian 2.2 firewall doing ipmasquerade running the kernel that 
>   came with it (2.2.18 IIRC).  
>   This machine also serves as a web, email and DNS server.
>   I woke up this morning and saw the following on the monitor:
>   IP_MASQ:reverse ICMP: failed checksum from
>   IP_MASQ:reverse ICMP: failed checksum from

I was curious about this since I use IP masquerading, too, so I looked up
some info on it.  From what I was able to find out, it appears someone is
pointing a port scanner at your network--and most likely a script kiddie
type, because a more experienced cracker would fix the checksum, so the
error wouldn't be produced.  At least that's what one person said.  

If you had a friend scan your network, I'd double check and ask them about
it, even if the IP looks weird, to make sure it wasn't them.  (P.S.--my IP
will show up in the logs, too--since I just sent you a finger request to
see if you were running finger).

In the meantime, I would check out /var/log/messages for other evidence of
a scan, and plug up any security holes you have.  From doing an nslookup on 
the IP, it looks like someone possibly on a cable modem or DSL, I
think.  It could be just some curious person being fast and loose with
their port scanner, and just poking around, rather than a serious
plan to attack, too.  I know I sure get paranoid every time I see
something odd like that--and it's usually nothing to worry too bad about
after all. 


P.S.--a personal 'thank you' to you for posting the error--it inspired me
to look up stuff and learn something new and useful. :) 

More information about the Techtalk mailing list