Someone inside here as well as someone from the list pointed out the
protocol, and it seems that this infact has nothing to do with Postfix, it
is actually a form of traceroute. Sorry for the bother and thanks for the
answers.

Gary Baribault

At 11:15 AM 6/11/2001 -0700, brian moore wrote:
>On Mon, Jun 11, 2001 at 01:59:50PM -0400, Baribault, Gary wrote:
> > Hello All,
> >
> > I have a postfix server on RedHat 7.0 that has been running for a
> while.
> > Last night a server in Russia tried to establish a connection from a
> > Russian server at 212.22.68.49. A brief snippet of my firewall log is:
> > Jun 10 14:44:54 smtp kernel: Packet log: input REJECT eth0 PROTO=6
> > 212.22.68.49:65535 216.18.119.250:65535 L=40 S=0x00 I=10141 F=0x0040 T=43
> > (#113)
> > Jun 10 14:45:10 smtp kernel: Packet log: output REJECT eth0 PROTO=1
> > 216.18.119.250:11 212.22.68.49:1 L=576 S=0xC0 I=49601 F=0x0000 T=255 (#20)
> >
> > What we have here is a connection attempt at port 65535 that is refused.
> > This doesnt bother me since we get this sort of activity daily, what
> > bothers the heck out of me is the line that follows where my server tries
> > to reach their port 1 from my port 11. Can anyone tell me what this is?
>
>note the 'proto=1'.
>
>Protocol 1 is ICMP. So your machine was sending a response to theirs.
>In this case, it was a type 11 ICMP packet:
>
>#define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
>
>or, in English, the TTL expired by the time it hit your machine (ie,
>they set a 10-hop TTL and your machine was the 10th hop, like a
>traceroute).
>
>Dunno what this has to do with postfix, though.

-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]