Re: Firewall log 192.168.100.1:65535 224.0.0.1:65535

Mon, 20 Aug 2001 15:50:16 -0700 


First off, the 192.168.x.x is a reserve address space, which you should NOT
be seeing, unless you don't have any registered ip addresses and your
border router is a 192.168.x.x address as well.
Secondly, this is multicast traffic, which is pretty selectively allowed.
Route discovery protocols use this type of traffic, as do some streaming
technologies.

If you have a registered IP Addy on your firewall's external interface,
this traffic is most likely spoofed traffic and can be safely discarded
(with the proper security response)  I would contact the ISP and let them
know of the issue and ask that it is resolved if they aren't the ones doing
it.
None of these address ranges belong to anyone.  10.x.x.x,
172.16.x.x-172.21.x.x, and 192.168.x.x are all reserved address spaces, for
use internally in your network.  ISP's should NOT allow packets with this
source address to ever traverse the Internet.



                                                                                       
                                            
                    Joel Hammer                                                        
                                            
                    <Joel@hammershom        To:     [EMAIL PROTECTED]               
                                            
                    e.com>                  cc:                                        
                                            
                    Sent by:                Subject:     Firewall log 
192.168.100.1:65535 224.0.0.1:65535                          
                    linux-users-admi                                                   
                                            
                    [EMAIL PROTECTED]                                                         
                                            
                                                                                       
                                            
                                                                                       
                                            
                    08/17/01 04:23                                                     
                                            
                    PM                                                                 
                                            
                    Please respond                                                     
                                            
                    to linux-users                                                     
                                            
                                                                                       
                                            
                                                                                       
                                            




PROTO=2 192.168.100.1:65535 224.0.0.1:65535
Does anyone know what this activity on my external NIC means?
My machine is neither of these two ip's.
This occurs all day, about 5000 hits in the last 5 days.
Been going on for months.
My /etc/protocol gives the following info:
igmp    2       IGMP    # internet group multicast protocol

nslookup 224.0.0.1 :
ALL-SYSTEMS.MCAST.NET
Address:  224.0.0.1

192.168.100.1 can't be found with nslookup.

Joel

_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc
->http://linux.nf/mailman/listinfo/linux-users




_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc 
->http://linux.nf/mailman/listinfo/linux-users

Reply via email to