Community discussions

 
negge
newbie
Topic Author
Posts: 36
Joined: Fri Jul 10, 2009 11:05 am

Dropped ICMP packets from unknown interface

Fri Jan 07, 2011 3:04 pm

Hi guys,

My log is being cluttered with a lot of dropped ICMP packets that have the router's internal address both as source and destination. Here's an exempt from the log:
Jan/07/2011 14:40:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:40:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:40:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:45:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:45:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:45:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:50:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:50:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:50:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
My question is, what are these packets and should I continue dropping them or not?

These are my firewall filter rules (the relevant rules are marked in bold):
/ip firewall filter
add action=jump chain=input comment="Jump all incoming traffic whatsoever to a new chain for sanitization" \
disabled=no in-interface=WAN jump-target=sanitize
add action=jump chain=forward comment="" disabled=no in-interface=WAN jump-target=sanitize
add action=drop chain=sanitize comment="Drop invalid connections" connection-state=invalid disabled=no
add action=log chain=sanitize comment="Log and drop packets from blacklisted IPs" disabled=no log-prefix=\
"\"Packet dropped: Blacklisted IP (member of fagget list)\"" src-address-list=faggets
add action=drop chain=sanitize comment="" disabled=no src-address-list=faggets
add action=log chain=sanitize comment="" disabled=no log-prefix=\
"\"Packet dropped: Blacklisted IP (SSH failed login)\"" src-address-list=ssh_blacklist
add action=drop chain=sanitize comment="" disabled=no src-address-list=ssh_blacklist
add action=drop chain=sanitize comment="Drop packets from known port scanners" disabled=no src-address-list=\
port_scanners
add action=accept chain=sanitize comment="Accept established and related connections" connection-state=\
established disabled=no
add action=accept chain=sanitize comment="" connection-state=related disabled=no
add action=log chain=sanitize comment="Add new portscanners to address list log" disabled=no log-prefix=\
"\"IP blacklisted: port scanner\"" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=4w2d chain=sanitize comment=\
"" disabled=no protocol=tcp psd=21,3s,3,1
add action=return chain=sanitize comment="" disabled=no
add action=return chain=sanitize comment="" disabled=no
add action=jump chain=forward comment="SSH traffic filtering" disabled=no dst-port=22,2200 in-interface=WAN \
jump-target=ssh protocol=tcp
add action=accept chain=ssh comment="Accept all from whitelisted addresses" disabled=no protocol=tcp \
src-address-list=ssh_whitelist
add action=log chain=ssh comment="Log and blacklist immediately addresses attempting on port 22" \
connection-state=new disabled=no dst-port=22 log-prefix="\"IP blacklisted: SSH attempt on port 22\"" \
protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=4w2d chain=ssh comment="" \
connection-state=new disabled=no dst-port=22 protocol=tcp
add action=log chain=ssh comment="Log and blacklist after three unsuccessfull attempts to log in" \
connection-state=new disabled=no log-prefix="\"IP blacklisted: SSH Too many login attempts\"" protocol=tcp \
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=52w1d chain=ssh comment="" \
connection-state=new disabled=no protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m chain=ssh comment="" \
connection-state=new disabled=no protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=10m chain=ssh comment="" \
connection-state=new disabled=no protocol=tcp
add action=accept chain=ssh comment="Accept if not blacklisted" disabled=no protocol=tcp
add action=return chain=ssh comment="" disabled=no
add action=jump chain=input comment="Process UDP traffic separately" disabled=no jump-target=udp_chain \
protocol=udp
add action=accept chain=udp_chain comment="DHCP (need to be checked)" disabled=no dst-port=68 protocol=udp \
src-port=67
add action=drop chain=udp_chain comment="Drop DHT traffic" disabled=no dst-port=32459,56544 protocol=udp
add action=return chain=udp_chain comment="" disabled=no
add action=accept chain=input comment="Accept only ping requests from WAN" disabled=no icmp-options=8:0-255 \
in-interface=WAN protocol=icmp
add action=accept chain=input comment="Accept all ICMP traffic from LAN" disabled=no in-interface=LAN protocol=\
icmp

add action=accept chain=input comment="Accept IGMP multicast from modem (why\?)" disabled=no dst-address-type=\
multicast in-interface=WAN protocol=igmp
add action=accept chain=input comment="Accept Winbox communication" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="Accept FTP to router from local network" disabled=no in-interface=LAN
add action=accept chain=input comment="Accept DNS requests from internal network" disabled=no dst-port=53 \
in-interface=LAN protocol=udp
add action=jump chain=forward comment="Jump incoming traffic to gorbachov to new chain" disabled=no \
dst-address=10.110.1.1 in-interface=WAN jump-target=gorbachov protocol=tcp
add action=accept chain=gorbachov comment="Accept Bittorrent traffic" disabled=no dst-port=32459 protocol=tcp
add action=accept chain=gorbachov comment="Accept Deluge daemon and web interface traffic" disabled=no \
dst-port=58846,8112 protocol=tcp
add action=accept chain=gorbachov comment="Accept Hath traffic" disabled=no dst-port=60000 protocol=tcp
add action=return chain=gorbachov comment="" disabled=no
add action=jump chain=forward comment="Jump incoming traffic to stalin to new chain" disabled=no dst-address=\
10.110.1.2 in-interface=WAN jump-target=stalin protocol=tcp
add action=accept chain=stalin comment="Accept HTTP traffic" disabled=no dst-port=80 protocol=tcp
add action=return chain=stalin comment="" disabled=no
add action=jump chain=forward comment="Jump incoming traffic to jeltsin to new chain" disabled=no dst-address=\
10.110.3.1 in-interface=WAN jump-target=jeltsin
add action=accept chain=jeltsin comment="Accept Bittorrent traffic (for \B5Torrent)" disabled=no dst-port=56544 \
protocol=tcp
add action=accept chain=jeltsin comment="Accept RDP traffic" disabled=no dst-port=3389 protocol=tcp
add action=accept chain=jeltsin comment="Accept DC++ (TCP, UDP and TLS)" disabled=no dst-port=9997-9998 \
protocol=tcp
add action=accept chain=jeltsin comment="" disabled=no dst-port=9999 protocol=udp
add action=return chain=jeltsin comment="" disabled=no
add action=jump chain=forward comment="Jump incoming traffic to oxygen to new chain" disabled=no dst-address=\
10.110.1.10 in-interface=WAN jump-target=oxygen
add action=accept chain=oxygen comment="Accept SSH traffic" disabled=no dst-port=9122 protocol=tcp
add action=accept chain=oxygen comment="Accept HTTP traffic" disabled=no dst-port=9180 protocol=tcp
add action=return chain=oxygen comment="" disabled=no
add action=accept chain=forward comment="Accept all outgoing traffic by default" disabled=no out-interface=WAN
add action=reject chain=input comment="Reject ident packets" disabled=no dst-port=113 in-interface=WAN \
protocol=tcp reject-with=icmp-protocol-unreachable
add action=log chain=input comment="Log and drop everything else" disabled=no log-prefix="\"Drop incoming\""
add action=log chain=forward comment="" disabled=no log-prefix="\"Drop incoming (forward)\""
add action=drop chain=input comment="" disabled=no
add action=drop chain=forward comment="" disabled=no
Thanks in advance,
negge
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5886
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Dropped ICMP packets from unknown interface

Mon Jan 10, 2011 10:25 am

Router is pinging itself that is why you see those packets. Check scripts, netwatch or any other part of configuration where ping is used to detect reachability.

Who is online

Users browsing this forum: No registered users and 59 guests