At 04:15 PM 2/4/03 -0800, Chris Low wrote:
My log file from Dachstein is getting packed with messages like this:Actually, you got most of it. PROTO= tells you the protocol number (6=TCP, 17=UCP, 1=ICMP).
Feb 4 17:29:52 Nimrod kernel: Packet log: input REJECT eth1 PROTO=17 10.10.10.2:4813 10.0.0.14:161 L=84 S=0x00 I=58236 F=0x0000 T=128 (#39)
Feb 4 17:29:52 Nimrod kernel: Packet log: input REJECT eth1 PROTO=17 10.10.10.2:4814 10.0.0.14:161 L=84 S=0x00 I=58492 F=0x0000 T=128 (#39)
Feb 4 17:30:11 Nimrod kernel: Packet log: input DENY eth0 PROTO=17 192.168.1.1:520 192.168.1.255:520 L=72 S=0x00 I=14429 F=0x0000 T=48 (#38)
Feb 4 17:30:37 Nimrod kernel: Packet log: input DENY eth0 PROTO=17 192.168.1.1:520 192.168.1.255:520 L=72 S=0x00 I=14438 F=0x0000 T=48 (#38)
Feb 4 17:30:52 Nimrod kernel: Packet log: input REJECT eth1 PROTO=17 10.10.10.2:4816 10.0.0.14:161 L=84 S=0x00 I=60028 F=0x0000 T=128 (#39)
Feb 4 17:30:52 Nimrod kernel: Packet log: input REJECT eth1 PROTO=17 10.10.10.2:4817 10.0.0.14:161 L=84 S=0x00 I=60284 F=0x0000 T=128 (#39)
Feb 4 17:30:53 Nimrod kernel: Packet log: input REJECT eth1 PROTO=17 10.10.10.2:4817 10.0.0.14:161 L=89 S=0x00 I=60540 F=0x0000 T=128 (#39)
The input rules 38 and 39 are:
259 18648 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a
2163 185K REJECT udp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 161:162
I've searched the archives and know enough to tell that it's traffic from an internal machine (10.10.10.2) to eth1 ont he firewall, and from our ISP's router (192.168.1.1) to eth0 on the firewall, but what else does it all mean and is it important?
The number after the colon is the TCP source or destination port, the UDP source or destination port, or the ICMP type or code. Port 161 is SNMP; you'll need to figure out why your NT server is broadcasting to that port. Port 520 is the routing port associated with RIP; I don't see why the sort of LAN you seem to have would use it, but ask your ISP, since it is its router that is creating the traffic.
If it isn't important how do I turn off logging for these rules?
This is a brand new installation of Dachstein running for about an hour. Need to know anything else, just ask.
-- -------------------------------------------"Never tell me the odds!"-------- Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] ------------------------------------------------------------------------------- ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
