Very Computer

My firewall has been getting two or three hits per day that have the
source port set to 3, and the destination port set to 1.  I can see
port 1 in /etc/services, but I don't see port 3 listed anywhere.  Any
ideas as to what this is?

The source IP address never resolves to anything, so I haven't bothered
to copy them over to this box.  The SYN flag is never set.  The packets
come in at either 12 or 24 second intervals.

Cheers,

James

These are icmp packets (not TCP, so SYN's are never set). icmp type 3 is
"destination unreachable", normally you can (must) receive it trying to
'traceroute' hosts.
If your firewall handles icmp types correctly (so if you really can
'traceroute'), than it may be some kind of "brute" behavior.

Read more about ports and attacs at
http://www.robertgraham.com/pubs/firewall-seen.html.

--
--------------------------
Dmytro O. Redchuk,
System Administrator
PopNet Kommunikation Kiew,

http://www.popnet.kiev.ua
Phone: (380).44.234.20.04
Phone: (380).44.234.20.06
Fax  : (380).44.234.22.24

compressnet       3/tcp                 # Compression Process
compressnet       3/udp                 # Compression Process

--
Posted via CNET Help.com
http://www.help.com/

It would help if you showed us the log message.  
Is the log from ipchains?

Chances are that you saw an ICMP packet (PROTO=1).
ipchains uses the position where it puts port numbers
for TCP and UDP for the Type and Code of ICMP packets.
In that case you saw a:

ICMP "Destination Unreachable", "Host Unreachable" packet.

If you use ipchains then this should help:
        <http://logi.cc/linux/ipchains-log-format.html>

BTW, ICMP packets of type 3 should never be blocked.

--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>