[expert] firewall question
Since setting up Shorewall to discard bad/malformed packets, I've been getting a lot of log entries like this. Why? I know that the displayed destination address is a broadcast address. Aug 31 08:31:18 n0sq kernel: Shorewall:badpkt:DROP:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:09:e8:b4:c6:c3:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=128 ID=8093 PROTO=UDP SPT=68 DPT=67 LEN=556 Also, I've been getting a lot of bad packets from many IP addresses that belong to my ISP. The strange thing is that the packets have my address as the destination address. This is sure taking up a lot of log space. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] firewall question
On Sun, 2003-08-31 at 09:46, engage wrote: Since setting up Shorewall to discard bad/malformed packets, I've been getting a lot of log entries like this. Why? I know that the displayed destination address is a broadcast address. Aug 31 08:31:18 n0sq kernel: Shorewall:badpkt:DROP:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:09:e8:b4:c6:c3:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=128 ID=8093 PROTO=UDP SPT=68 DPT=67 LEN=556 that's a DHCP packet -- grab it with Ethereal and you can see what type. I'd guess client request. Also, I've been getting a lot of bad packets from many IP addresses that belong to my ISP. The strange thing is that the packets have my address as the destination address. Maybe they're scanning for services, or maybe other users on the ISP are scanning or have worms. This is sure taking up a lot of log space. So don't do it :-) Scale back logging. http://www.monkeynoodle.org/comp/reply-to -- Jack Coates Monkeynoodle: A Scientific Venture... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] firewall question
On Sunday 31 August 2003 11:43 am, Jack Coates wrote: On Sun, 2003-08-31 at 09:46, engage wrote: Since setting up Shorewall to discard bad/malformed packets, I've been getting a lot of log entries like this. Why? I know that the displayed destination address is a broadcast address. Aug 31 08:31:18 n0sq kernel: Shorewall:badpkt:DROP:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:09:e8:b4:c6:c3:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=128 ID=8093 PROTO=UDP SPT=68 DPT=67 LEN=556 that's a DHCP packet -- grab it with Ethereal and you can see what type. I'd guess client request. I forgot that a lot of the new accounts at the ISP are now DHCP. Also, I've been getting a lot of bad packets from many IP addresses that belong to my ISP. The strange thing is that the packets have my address as the destination address. Maybe they're scanning for services, or maybe other users on the ISP are scanning or have worms. Possibly. I'm going to have to spend more time on network analysis. I might be able to get away from the computer someday. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com