Hello Thomas,
Monday, May 22, 2000, 5:12:56 AM, you wrote:
BTG> Maybe someone on the outside is trying to spoof your machine with internal
BTG> network IP's?
>> -----Original Message-----
>> From: Tom Williamson [SMTP:[EMAIL PROTECTED]]
>> Sent: Sunday, May 21, 2000 10:15 AM
>> To: Redhat List
>> Subject: IP Firewall logging
>>
>> I used the excellent firewall page at
>> <http://linux-firewall-tools.com/linux/firewall/index.html> to design a
>> firewall script for my system, and it appears to work. But it's bloating
>> my log files tremendously with entries like the ones below - anyone have
>> any idea what they are?
>>
>> May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 192.168.1.4:68 255.255.255.255:67 L=276 S=0x00 I=57684 F=0x0000 T=128 (#7)
>>
>> May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 192.168.0.2:1015 255.255.255.255:1015 L=176 S=0x00 I=16158 F=0x0000 T=128
>> (#7)
>> May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 192.168.0.2:1015 255.255.255.255:1015 L=176 S=0x00 I=16414 F=0x0000 T=128
>> (#7)
>> May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 192.168.0.2:1015 255.255.255.255:1015 L=176 S=0x00 I=16670 F=0x0000 T=128
>> (#7)
>> May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 192.168.0.2:1015 255.255.255.255:1015 L=176 S=0x00 I=16926 F=0x0000 T=128
>> (#7)
>> May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=12 F=0x0000 T=255 (#12)
>> May 21 07:20:53 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 0.0.0.0:68 255.255.255.255:67 L=576 S=0x00 I=51981 F=0x0000 T=15 (#12)
>> May 21 07:20:53 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=14 F=0x0000 T=255 (#12)
>> May 21 07:20:53 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 24.1.196.86:68 255.255.255.255:67 L=576 S=0x00 I=0 F=0x0000 T=64 (#69)
>> May 21 07:20:53 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 169.254.242.8:68 255.255.255.255:67 L=604 S=0x00 I=19018 F=0x0000 T=128
>> (#31)
>> May 21 07:20:53 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 169.254.242.8:68 255.255.255.255:67 L=604 S=0x00 I=19274 F=0x0000 T=128
>> (#31)
>> May 21 07:20:54 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 24.1.195.172:68 255.255.255.255:67 L=276 S=0x00 I=41007 F=0x0000 T=128
>> (#69)
>> May 21 07:20:54 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=18555 F=0x0000 T=254 (#12)
>> May 21 07:20:54 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 192.168.120.1:1015 255.255.255.255:1015 L=176 S=0x00 I=45762 F=0x0000
>> T=128 (#7)
>> May 21 07:20:54 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 192.168.120.1:1015 255.255.255.255:1015 L=176 S=0x00 I=46018 F=0x0000
>> T=128 (#7)
>> May 21 07:20:54 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=3 F=0x0000 T=255 (#12)
>> May 21 07:20:54 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 169.254.100.1:68 255.255.255.255:67 L=604 S=0x00 I=20479 F=0x0000 T=128
>> (#31)
>> May 21 07:20:54 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 169.254.100.1:68 255.255.255.255:67 L=604 S=0x00 I=20735 F=0x0000 T=128
>> (#31)
>> May 21 07:20:54 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=3 F=0x0000 T=255 (#12)
>> May 21 07:20:55 cx449080-a kernel: Packet log: input DENY eth0 PROTO=17
>> 24.1.221.86:68 255.255.255.255:67 L=328 S=0x00 I=57057 F=0x0000 T=128
>> (#69)
>>
The 0.0.0.0 and 255.255.255.255 type 17 (udp) ports 67 and 68 are
bootp and are probably a result of nt or windows machine booting up
and spewing onto your internal network. It could also be perhaps bootp
on one of your Linux machines? Also could be maybe a DSL modem etc.
The best way to find out is to put a sniffer on the wire.
--
Best regards,
badger mailto:[EMAIL PROTECTED]
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
