Actually I thought you asked the question quite well... The packets you are seeing are from your ISP's DHCP server. To conserve public IP address space, many ISPs are apparently using RFC1918 addresses for pieces of their internal network, including their DHCP servers.
In theory, RFC1918 packets should not be seen on the Internet so a rule blocking them is entirely appropriate as a default. There are a couple of approaches you can take. My preference is to change the rule to just drop these packets without logging them. To do this, just go into the Shorewall menu, choose option 16 (RFC1918) and change the 'logdrop' to 'DROP'. Do a back up and then restart Shorewall and that should take care of it. Alternately, you could create a rule for this one particular address. Regards! Paul -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Cass Tolken Sent: Sunday, July 21, 2002 11:28 AM To: Leaf User Subject: [leaf-user] Bering/Shorewall question Hi there, I'm a networking newbie so excuse me if this question or my terminolgy seems strange ;). I'm logging a whole LOT of these hits: [snip] Jul 21 13:57:20 firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:05:9a:d0:ec:54:08:00 SRC=10.122.64.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=37032 PROTO=UDP SPT=67 DPT=68 LEN=308 Jul 21 14:03:11 firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:05:9a:d0:ec:54:08:00 SRC=10.122.64.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=37054 PROTO=UDP SPT=67 DPT=68 LEN=308 I think the DPT=68 is related to bootpc which I believe is dhcp related. I am running dhcpd on eth1. Everything seems to be working great on my internal network (of mostly windows boxen) except for the above hits being logged EVERY few minutes. I've searched the mailing list archives and have found statements like "the above message is probably generated by a rule in the mangle table" and "that the underlying problem is probably that 'norfc1918' is specified on an interface where it shouldn't be." (both from Tom Eastep in http://www.mail-archive.com/leaf-user@lists.sourceforge.net/msg07342.htm l .) I'm using the default Bering /etc/shorewall/interfaces lines: net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect routestopped Should I take out the "norfc1918" from the eth0 line? If Tom says "it shouldn't be" there, why is it in the default Bering install? Thanks for any help! __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html