Sorry, missed that 169 thing. Wes, the issue is that if a Windows PC is booted and cannot get an IP address from a DHCP server, it will assign itself an IP address on the 169.254.x.x subnet. Because the GNAT Box does not recognize this IP address, it sends a spoof alarm.
If you assign the GNAT Box PRO interface an alias on the 169.254.x.x subnet with a netmask of 255.255.0.0, the GNAT Box will no longer consider this to be "spoofed" traffic, and you can silence the alarms with a block/nolog filter. See the message thread, "howto filter some Possible spoofs" for more information. Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: Dan Swartzendruber [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 09, 2002 10:45 AM > To: Wes Stewart; [EMAIL PROTECTED] > Subject: RE: [gb-users] DNS anomolies > > > At 08:46 AM 12/9/2002 -0700, Wes Stewart wrote: > >I tried applying all of the suggestions from last week and I am still > >getting this alarm. Neither of these addresses are on my LAN. > > > > ALARM NO: 4 > > DATE: Mon 2002-12-09 08:38:19 > > INTERFACE: PROTECTED (xl1) > >INTERFACE TYPE: Protected > > ALARM TYPE: Possible spoof > > IP PACKET: UDP > [169.254.78.209/137]-->[199.191.128.104/53] l=52 > > isn't the 169 address what windows (98 for sure) assigns when a dhcp > request fails? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archive of the last 1000 messages: > http://www.mail-archive.com/[email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
