I have Level One's firewall/router on my cable line, plus Zone Alarm as
the second line of defense on the computer. Every now and then, I see
blocked ICMPs (ICMP type 3, subtype 3) in my Zone Alarm's log. What are
these and how in the world can they come through the hardware firewall?
A buggy/leaky firewall?

level13 [at] gmail.com wrote:
> I have Level One's firewall/router on my cable line, plus Zone Alarm as
> the second line of defense on the computer. Every now and then, I see
> blocked ICMPs (ICMP type 3, subtype 3) in my Zone Alarm's log. What are
> these and how in the world can they come through the hardware firewall?
> A buggy/leaky firewall?

ICMP type 3 is "Destination unreachable", subtype 3 is "Port unreachable
error. When the designated transport protocol (e.g., UDP) is unable to
demultiplex the datagram but has no protocol mechanism to inform the
sender."

Your ZA log should show the source of the packet. Check what host it is
and if you have visited or sent something there. I suppose your firewall
just tries to forward a message that should be of interest for you, like
that some connection failed. I would not consider that a leaky firewall
but actually a good one. Unfortunately, most PFWs and cheap NAT routers
just drop all interesting and sometimes important ICMP messages...

Gerald

On Thu, 17 Mar 2005 07:55:44, level13 [at] gmail.com wrote:

> I have Level One's firewall/router on my cable line, plus Zone Alarm as
> the second line of defense on the computer. Every now and then, I see
> blocked ICMPs (ICMP type 3, subtype 3) in my Zone Alarm's log. What are
> these and how in the world can they come through the hardware firewall?
> A buggy/leaky firewall?

Probably not.

What is the "source" IP-address in ZA's log of the packet?
Is it the "public" IP-address of your router, or the 'gateway'
IP-address
(obtain this IP-address by using 'IPCONFIG' on your computer) ?

If your hardware firewall is like my hardware firewall,
it's a 'PING' packet from your router
to all the computers on your "home" network,
rather than a 'PING' packet from the Internet-at-large
that "mysteriously" has penetrated.

Probably nothing to worry about, but show us your log-file.

(( posted and mailed ))

OK, here's the relevant log section:

FWIN,2005/03/16,08:55:56 +1:00
GMT,212.114.239.128:0,192.168.xx.xx:0,ICMP (type:3/subtype:3)
FWIN,2005/03/16,10:23:06 +1:00
GMT,212.114.239.128:0,192.168.xx.xx:0,ICMP (type:3/subtype:3)
FWIN,2005/03/16,11:51:52 +1:00
GMT,212.114.239.128:0,192.168.xx.xx:0,ICMP (type:3/subtype:3)

The IP was external, judging from the name a DSL user. It might have
happened due to use of P2P applications, but I figured someone might
have as well tried to find a way to penetrate the hw firewall.
So nothing to worry about?

level13 [at] gmail.com wrote:

> I have Level One's firewall/router on my cable line, plus Zone Alarm as
> the second line of defense on the computer. Every now and then, I see
> blocked ICMPs (ICMP type 3, subtype 3) in my Zone Alarm's log. What are
> these and how in the world can they come through the hardware firewall?
> A buggy/leaky firewall?


There are many types of ICMPs. Ping is only one (actually ping composed of
icmp echo and icmp echo reply). Your firewall is NOT blocking all ICMP
types. In fact you should not, you will have problems if you do. ICMP type
3 sub type 3 is icmp "destination unreachable port unreachable". This
happens when you send a packet to a IP address and the server is not
running a server on that port.

In short it is perfectly normal.

Michael

On Thu, 17 Mar 2005 20:17:31 -0800, "Michael J. Pelletier"
<mjpelletier [at] mjpelletier.com> wrote:

>level13 [at] gmail.com wrote:
>
>> I have Level One's firewall/router on my cable line, plus Zone Alarm as
>> the second line of defense on the computer. Every now and then, I see
>> blocked ICMPs (ICMP type 3, subtype 3) in my Zone Alarm's log. What are
>> these and how in the world can they come through the hardware firewall?
>> A buggy/leaky firewall?
>
>
>There are many types of ICMPs. Ping is only one (actually ping composed of
>icmp echo and icmp echo reply). Your firewall is NOT blocking all ICMP
>types. In fact you should not, you will have problems if you do. ICMP type
>3 sub type 3 is icmp "destination unreachable port unreachable". This
>happens when you send a packet to a IP address and the server is not
>running a server on that port.
>
>In short it is perfectly normal.
>
>Michael
Incoming or outgoing?

level13 [at] gmail.com wrote:

> OK, here's the relevant log section:
> [...]

> The IP was external, judging from the name a DSL user.

It is an ICMP message from an extrernal machine saying 'destination
unreachable, Port unreachable'. This means that you tried to connect the
particular service on the external machine and this machine informs you,
that your connection attempt has failed.

> It might have
> happened due to use of P2P applications,

Do you use P2P?

> but I figured someone might
> have as well tried to find a way to penetrate the hw firewall.

Nonsense.

> So nothing to worry about?

*Your* *internal* *box* gets informed by the external box via an ICMP
message that *your* *attempt* to connect the external box failed.

How far has is come that such useful ICMP messages, that are a sign of
totally normal network behaivior, are regarded as a threat? It is correct
that your router forwards such mesages to the internal box, that tried to
connect the external service/machine and is a sign of a totally braindead
ZA, that it misinterprets such messages.

Wolfgang