Re: IP Firewall logging

[Hal Burgiss]

On Sun, May 21, 2000 at 07:14:31AM -0700, Tom Williamson wrote:
> 
>    I used the excellent firewall page at
>    [1]http://linux-firewall-tools.com/linux/firewall/index.html to design
>    a firewall script for my system, and it appears to work.  But it's
>    bloating my log files tremendously with entries like the ones below -
>    anyone have any idea what they are?
>    
>    
>    May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0
>    PROTO=17 192.168.1.4:68 255.255.255.255:67 L=276 S=0x00 I=57684
>    F=0x0000 T=128 (#7)
>    May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0
>    PROTO=17 192.168.0.2:1015 255.255.255.255:1015 L=176 S=0x00 I=16158
>    F=0x0000 T=128 (#7)
>    May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0
>    PROTO=17 192.168.0.2:1015 255.255.255.255:1015 L=176 S=0x00 I=16414
>    F=0x0000 T=128 (#7)
>    May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0
>    PROTO=17 192.168.0.2:1015 255.255.255.255:1015 L=176 S=0x00 I=16670
>    F=0x0000 T=128 (#7)
>    May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0
>    PROTO=17 192.168.0.2:1015 255.255.255.255:1015 L=176 S=0x00 I=16926
>    F=0x0000 T=128 (#7)
>    May 21 07:20:53 cx449080-a kernel: Packet log: input DENY eth0
>    PROTO=17 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=14 F=0x0000
>    T=255 (#12)
>    May 21 07:20:53 cx449080-a kernel: Packet log: input DENY eth0
>    PROTO=17 24.1.196.86:68 255.255.255.255:67 L=576 S=0x00 I=0 F=0x0000
>    T=64 (#69)
>    May 21 07:20:53 cx449080-a kernel: Packet log: input DENY eth0
>    PROTO=17 169.254.242.8:68 255.255.255.255:67 L=604 S=0x00 I=19018
>    F=0x0000 T=128 (#31)
>    May 21 07:20:53 cx449080-a kernel: Packet log: input DENY eth0
>    PROTO=17 169.254.242.8:68 255.255.255.255:67 L=604 S=0x00 I=19274
>    F=0x0000 T=128 (#31)

[...]

Cable modem? Most of this looks like 'normal' local broadcast traffic.
The 67/68 is DHCP server/client traffic. Not sure what 1015 is. From
the looks of it you have some noisy neighbors with misconfigured home
lans letting internal traffic out too. I would say you definitely don't
need to log this kind of traffic. Annoying maybe, but harmless. Are
any of the IP's yours? Not sure you want to block DHCP server
connections to yourself. Depends maybe on how your provider is setup. 


-- 
Hal B
[EMAIL PROTECTED]
--


-- 
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.