Wow, for the first time since I can remember, my IP address has changed via
DHCP with Shaw cable. I've seen it happen when I've changed eth0 NICs
before, but never for no apparent reason.
The reason I noticed is that I saw a boatload of port80 logs. I have a line
added to ipfilter.conf to not log port 80 stuff:
#Deny and don't log Code Red stuff on port 80
$IPCH -I input 3 -j DENY -p tcp -s 0/0 -d $EXTERN_IP/32 80 -i $EXTERN_IF
I checked my ip address via "ip addr" and saw the following for eth0:
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:88:5f:c2:56:2e brd ff:ff:ff:ff:ff:ff
inet 24.67.xx.xx/24 brd 24.67.xx.255 scope global eth0
inet 24.64.yy.yyy/24 brd 24.64.yy.255 scope global eth0
Weird. It appears eth0 has 2 IP addresses!?! My firewall is configured to
block the first (I've had it for eons) but has no entries for the second.
When I checked syslog there was a ton of "dhclient: DHCPREQUEST on eth0 to
24.64.aa.bbb port 67" starting a couple of days ago, then tonight I finally
received the new IP (24.64.yy.yyy):
Feb 1 16:34:21 ronin-firewall dhclient: DHCPREQUEST on eth0 to
255.255.255.255 port 67
Feb 1 16:34:21 ronin-firewall dhclient: DHCPNAK from 24.64.yy.1
Feb 1 16:34:21 ronin-firewall dhclient: DHCPDISCOVER on eth0 to
255.255.255.255 port 67 interval 4
Feb 1 16:34:21 ronin-firewall dhclient: DHCPOFFER from 24.64.yy.1
Feb 1 16:34:24 ronin-firewall dhclient: DHCPREQUEST on eth0 to
255.255.255.255 port 67
Feb 1 16:34:24 ronin-firewall dhclient: DHCPACK from 24.64.yy.1
Feb 1 16:34:27 ronin-firewall dhclient: bound to 24.64.yy.yyy -- renewal in
86400 seconds.
Basically it wasn't until dhclient sent out a broadcast DHCPREQUEST that it
got a response. I thought DHCP was a broadcast protocol? I notice the
"option dhcp-server-identifier 24.64.aa.bbb" field in my dhclient.leases
file. I guess this is used where possible then go back to 255.255.255.255
when it fails after trying for 24 hrs?
Another strange thing is that my /var/state/dhcp/dhclient.leases file is
growing with a new entry for every renegotiation about once every 24hrs.
Questions:
1) When I get a new IP via DHCP shouldn't the firewall rules automatically
update (I have dhclient 2.0pl5)?
2) Shouldn't "/var/state/dhcp/dhclient.leases" only contain a couple of
entries and not grow over time? Anyone else see this file growing?
3) Shouldn't an ethernet adapter only be able to have one IP vs. the two I
am seeing reported by "ip addr"? If there is 2, how would the firewall know
which to use for the ipchain entries?
I am wondering if this could have anything to do with my registering a
domain and mapping it to my shaw ip? I have a web server running behind the
firewall that is used only by me to check on the status of the house and
some other low bandwidth stuff. The day I got my domain setup to point to
my dynamic (but never until now, changing) IP I was flooded with port 25
(POP) traffic until I added a new rule similar to the code red one for port
80 above.
Maybe the new IP is just caused by a DHCP server switch for my ISP but then
why am I seeing the weirdness described above?
Anyone have any ideas as to what might be happening?
Cheers,
Paul
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
