Since upgrading to WG Version 5 I have a problem with the Log recording thousands of incidents per hour of ICMP. The format is:
Wingate firewall hit report:
Time: 15/11/03 14:29:16
Reason: Port Range
Source MAC address: 00-0A-42-6E-50-54
Destination MAC address: 00-40-05-A1-42-04
Source IP address: 82.38.32.171 : N/A
Destination IP address: 82.41.61.234 : N/A
Protocol: ICMP
Time-to-live: 123
The problem results in gigantic Log files - about 60MB per month which I have to rename and archive to keep the size down to a manageable level.
It never used to do this - although being on a cable connection I am used to plenty of TCP/IP attacks. The Source and Destination Ports are always zero (now reported as N/A) and the IP addresses look close to mine so may be from other machines on the same ISP (Blueyonder).
Can anyone enlighten me as to what is going on here, and if logging of ICMP can in some way be switched off.
Regards
Andrew
Wingate Firewall Clogged with ICMP Logs
Moderator: Qbik Staff
3 posts
• Page 1 of 1
Wingate Firewall Clogged with ICMP Logs
by andrewclark » Nov 16 03 3:39 am
- andrewclark
- Posts: 25
- Joined: Nov 16 03 3:11 am
- Location: Edinburgh
by neil » Nov 20 03 11:12 am
I am not sure why you would get so many ICMP hits from your ISP's subnet, but as to ways for stopping the logs from getting so big, i can thikn of a couple of ways. Unfortuanately there is no way to turn off logging for just ICMP. However you could either allow machines to ping you (change the settings in the ENS properties under the firewall tab to 'Allow users to ping this machie from the internet'). Obviously this means internet computers will know you exist, but firewalls hits wont be generated, and thsu you're log files will be smaller.
You could also blackhole the range of ip's that are trying to ping you. This of course would mean that people from these machines wont be able to connect if you happen to be running any servers behind WinGate.
The next major release will allow you more control in this area of firewall rules, but that might be a little way off just yet.
Regards
Neil
You could also blackhole the range of ip's that are trying to ping you. This of course would mean that people from these machines wont be able to connect if you happen to be running any servers behind WinGate.
The next major release will allow you more control in this area of firewall rules, but that might be a little way off just yet.
Regards
Neil
- neil
- Qbik Staff
- Posts: 356
- Joined: Sep 03 03 2:42 pm
- Location: Auckland
Aha!
by andrewclark » Nov 20 03 11:45 am
Neil
Thanks for that suggestion. Allowing the pings from the internet has stopped the logging in its tracks! Although as you say it does make me slightly more visible.
I don't operate any servers behind the Firewall, so that's fine.
Many thanks for taking the trouble to reply - I thought I was going to draw a blank on this one. Keep up the good work!
Thanks for that suggestion. Allowing the pings from the internet has stopped the logging in its tracks! Although as you say it does make me slightly more visible.
I don't operate any servers behind the Firewall, so that's fine.
Many thanks for taking the trouble to reply - I thought I was going to draw a blank on this one. Keep up the good work!
- andrewclark
- Posts: 25
- Joined: Nov 16 03 3:11 am
- Location: Edinburgh
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 6 guests