At 21:13 21/07/2002, Cass Tolken wrote: Your external address 24.46.y.z doesn't appear to be in the rfc1918 range. So there is no reason to take the norfc1918 out. Is your intern dhcp server serving up addresses in this 10 range by any chance? I don't think so sonce your internal ip is in the 192.168 range.
So apparently this is actually someone on the outside doing this. Most likely scenario is that someone on your segment got his configuration mixed up and is servicing up 10.x.y.z addressed on his external instead of his internal interface. I don't think an attack of some form is going on here. (Because there is no directed destination ip 255.255.255.255 means its a broadcast.) The guess that it is someone on your segment comes from the fact that it is a broadcast. If it is bothering you that it is being logged is bothering you you can allways add a line to the rfc1918 option file of shorewall (that is if you are using bering rc3 with the most recent shorewall). If you are using anything else just let me know and we will check to see what we can do. Just add a line above the 10.x.y.z logdrop with the folowing info in it. 10.122.64.1/32 DROP Kim Oppalfens >--- Kim Oppalfens <[EMAIL PROTECTED]> wrote: > > At 20:28 21/07/2002, Cass Tolken wrote: > > > > Taking out the norfc on should stop logging these. > > It is in there by default because you are not supposed to have an > > address > > in the 10.x.y.z range > > on an external interface. The norfc means to block anything in the > > source > > ip ranges of > > 10.x.y.z > > 169.254.y.z > > 172.16-31.y.z > > 192.168.0.1 > > 224-239.x.y.z > > > > Looking at these logged messages I suspect you to have an external > > address > > of 10.x.y.z > > > > Just check by using the > > "ip add" command. If you are in the 10 range you should remove the > > norfc1918 > >Thanks for the quick response. Here is the output of "ip add" >(I x-ed out my MAC addresses and eth0 IP which I get via pump from my >cable modem ISP) > ># ip add >1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo >2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop > link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff >3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:04:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff > inet 24.46.xxx.xxx/22 brd 255.255.255.255 scope global eth0 >4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:a0:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff > inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 > >Could it be someone from the outside net that's doing this? >Again, excuse my newbie-ness ;). I'll try taking out the norcf1918 >after any replies I get from this message. > >Thanks again! > >__________________________________________________ >Do You Yahoo!? >Yahoo! Health - Feel better, live better >http://health.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
