Samba error?

[shanghai]

Hi!
These lines appear in my logfiles

Code: Select all

Mar 16 14:32:03 tux eth0: link up, 10Mbps, half-duplex, lpa 0x0000
Mar 16 14:32:08 tux 10.1.146.51 sent an invalid ICMP type 11, code 0 error to a
broadcast: 23.251.199.255 on eth0
Mar 16 14:32:15 tux 10.1.146.51 sent an invalid ICMP type 11, code 0 error to a
broadcast: 23.251.199.255 on eth0

It seems to be linked to the use of samba. There are hundreds of these lines in an hour...
How can i understand what is it? (i don't know who is 10.1.146.51)
And how can i avoid all these lines to fill my logs (as they waste a lot of CPU, i imagine, and they make my logs useless) ?

This considering that
a) i still can't write firewall rules, so i've no firewall

b) i'm behind a NAT which covers all the users of my ISP.
Thank you!

[adaptr]

This may be an attempt to send illicit traffic through your box - a 10.x.x.x host should never send a broadcast to an different subnet!

A NAT connection to your ISP ?
That sounds ... weird.
You mean you don't even have a real IP address ?

[shanghai]

Exactly. And, if i want a public IP address, i need a tunneling service towards a server which is outside of my ISP network.
Are 10.x.x.x reserved address?

[adaptr]

Exactly. And, if i want a public IP address, i need a tunneling service towards a server which is outside of my ISP network.

Double weird - your ISP should be the first stop toward giving you a public IP address.

Are 10.x.x.x reserved address?

Yes.
There are reserved (private) address ranges in each network class.
For Class A, this is 10.x.x.x - the whole 10. subnet is neither used nor routed on the internet.
Which is why one can never use such an address on a public network.
The first router it bumps into will drop all traffic.

[shanghai]

Better: i've an IP address which is just visible to the network inside the NAT (i.e. to the others using my ISP). If i give my ip "internal" address to someone inside this network he can browse my webserver...

Technically i could ask my provider for a public IP address, but i had to pay for it, so i don't want. Either, when i need a public IP i can use an ipv6 tunneling service (which isn't active actually).

What do you think i should do?

[adaptr]

I think you should consider switching to a decent provider
Really, these kinds of frauds deserve neither your money nor your support.

[shanghai]

I agree, but this is the fastest italian line
Heh...

[rewt]

As adaptr already said 10.x.x.x is an unroutable address so it seems the attack is coming from inside your ISP somewhere
The fact you're running Samba let alone the other services that are likely running on your box means you should serious learn to set up a firewall... FAST! There is no way in this world I would hang an unsecured box off my ISP and I barely run any services
There are some good online guides to getting a basic firewall going so it shouldn't take much work and believe me it is worth the investment of your time and energy
Good luck

[koma]

i've the some problem somebody help? or a soluction to drop it from dmesg ?

[robinmarlow]

I am on NTL cable & recently added a d-link 624+ router/firewall between me and the internet.
My logs have been filling up with:

Code: Select all

phoenix 10.186.239.254 sent an invalid ICMP type 3, code 13 error to a broadcast: 192.168.1.255 on eth1

i tried blocking icmp at the firewall & blocking that ip address, but nothing helped.

i'm kinda assuming that it is coming from my router itself and innocuous so:

Code: Select all

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

seems to make them go away.

Hope this helps someone

Robin