Wow, for the first time since I can remember, my IP address has changed via DHCP with Shaw cable. I've seen it happen when I've changed eth0 NICs before, but never for no apparent reason.
The reason I noticed is that I saw a boatload of port80 logs. I have a line added to ipfilter.conf to not log port 80 stuff: #Deny and don't log Code Red stuff on port 80 $IPCH -I input 3 -j DENY -p tcp -s 0/0 -d $EXTERN_IP/32 80 -i $EXTERN_IF I checked my ip address via "ip addr" and saw the following for eth0: 7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:88:5f:c2:56:2e brd ff:ff:ff:ff:ff:ff inet 24.67.xx.xx/24 brd 24.67.xx.255 scope global eth0 inet 24.64.yy.yyy/24 brd 24.64.yy.255 scope global eth0 Weird. It appears eth0 has 2 IP addresses!?! My firewall is configured to block the first (I've had it for eons) but has no entries for the second. When I checked syslog there was a ton of "dhclient: DHCPREQUEST on eth0 to 24.64.aa.bbb port 67" starting a couple of days ago, then tonight I finally received the new IP (24.64.yy.yyy): Feb 1 16:34:21 ronin-firewall dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67 Feb 1 16:34:21 ronin-firewall dhclient: DHCPNAK from 24.64.yy.1 Feb 1 16:34:21 ronin-firewall dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 Feb 1 16:34:21 ronin-firewall dhclient: DHCPOFFER from 24.64.yy.1 Feb 1 16:34:24 ronin-firewall dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67 Feb 1 16:34:24 ronin-firewall dhclient: DHCPACK from 24.64.yy.1 Feb 1 16:34:27 ronin-firewall dhclient: bound to 24.64.yy.yyy -- renewal in 86400 seconds. Basically it wasn't until dhclient sent out a broadcast DHCPREQUEST that it got a response. I thought DHCP was a broadcast protocol? I notice the "option dhcp-server-identifier 24.64.aa.bbb" field in my dhclient.leases file. I guess this is used where possible then go back to 255.255.255.255 when it fails after trying for 24 hrs? Another strange thing is that my /var/state/dhcp/dhclient.leases file is growing with a new entry for every renegotiation about once every 24hrs. Questions: 1) When I get a new IP via DHCP shouldn't the firewall rules automatically update (I have dhclient 2.0pl5)? 2) Shouldn't "/var/state/dhcp/dhclient.leases" only contain a couple of entries and not grow over time? Anyone else see this file growing? 3) Shouldn't an ethernet adapter only be able to have one IP vs. the two I am seeing reported by "ip addr"? If there is 2, how would the firewall know which to use for the ipchain entries? I am wondering if this could have anything to do with my registering a domain and mapping it to my shaw ip? I have a web server running behind the firewall that is used only by me to check on the status of the house and some other low bandwidth stuff. The day I got my domain setup to point to my dynamic (but never until now, changing) IP I was flooded with port 25 (POP) traffic until I added a new rule similar to the code red one for port 80 above. Maybe the new IP is just caused by a DHCP server switch for my ISP but then why am I seeing the weirdness described above? Anyone have any ideas as to what might be happening? Cheers, Paul _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user