[Dshield] Re: ICMP destination unreachable

William Sipila william at osource.com
Mon Nov 5 19:16:54 GMT 2001


> One possible cause is that you have a user that tries to connect to
> your exchange server using the native exchange protocol (that is,
> neither SMPT, POP3 or IMAP) and that sits beyond a NAT box. Since the
> server will look at the IP address that is inside the packet data
> instead of using the IP header to respond and since that packet will
> contain the internal, non-routable IP of the target machine, it will
> fail to be routed.

native exchange protocol?  like some sort of IPC?

> If that is what's happening, then you might want to have a good look
> at your router's configuration: It means that you didn't implement
> egress filtering on your border routers and have not blocked private
> IP ranges.
> 
> Good luck,
> Stephane

i only have very basic egress filtering set up.  i *do* have a NAT box on
the network, so that may be what it is.  i'll kill the IANA reserved
netblocks (those are the ones, right?) and see if that makes a difference.

hmmm... i was just looking at the router config: should i kill oubound
packets going *to* the reserved addresses, or outbound packets *from* the
reserved addresses (ie: from the inside)?  or both?  :)

> Your guess sounds right. One thing you can do: Setup tcpdump 
> or a tool 
> like that to capture the ICMP packets. The original packet 
> that caused the 
> problem should be attached as a payload.

i'll look for a win32 ver of tcpdump and play with it.  which brings up a
new question (sorry for all the newb ?s today): wouldn't snort have captured
that if i was running in full packet logging mode?  or is there packet info
that snort doesn't see, that tcpdump will?

thanks!!

	- will

--\/------------------------------------------------------------ 
    Developer/SysAdmin, OUTSOURCE Consulting Services, Inc. 
    william at osource.com | www.osource.com 
--/\------------------ 




More information about the list mailing list