Re: [CentOS] OT: what are all these probes from my firewall log????
On Saturday, August 18, 2012 11:01:26 AM fred smith wrote: On Sat, Aug 18, 2012 at 09:20:56AM -0500, Robert Nichols wrote: On 08/16/2012 11:06 PM, fred smith wrote: hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least. Those are BOOTP responses from your ISP's DHCP server to clients requesting an IP address. They have to be broadcast because the client does not yet have an IP address. that implies that there are a WHOLE LOT of systems served by this provider that are doing dhcp requests, given the volume of these things I'm seeing. they're arriving at rates ranging from 4-5 a second, to 1-2 a minute, mostly in the one every 1-5 seconds rate. Welcome to NAT444. Aka 'double-NAT' or 'carrier-grade NAT' where your connection's WAN port is further NATted at the ISP's border router, and the ISP itself is using RFC 1918 space and minimal publicly routable IP addresses. There was a special IPv4 address block allocated for this purpose relatively recently; discussion can be found in the NANOG mailing list archives. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
On 08/16/2012 11:06 PM, fred smith wrote: On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote: On 08/16/12 7:01 PM, fred smith wrote: I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255. there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that? whois doesn't turn up anything on 10.21.72.1. Anybody got suggestions on how I'd track this down? Thanks! Aug 16 21:13:59 kernel: DROP4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:001SRC=10.21.72.1 DST=255.255.255.2551LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP1SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:001SRC=10.21.72.1 DST=255.255.255.2551LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP1SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:001SRC=10.21.72.1 DST=255.255.255.2551LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP1SPT=67 DPT=68 LEN=308 that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?. John, I'm willing to believe that, but I don't know where it would be coming from... not to mention that 10.x.x.x isn't valid on my LAN, it's in the 192.168.x.x range. I guess I could go around disconnecting things and see where it's coming from. other than some PCs, there is a networked printer, a LaCie RAID-1 network storage box, and a Television, which is allegedly turned off (but as we all know you don't turn them off, really, at least some part is still on). last time I looked at the TV config it was properly configured in 192.168.x.x, but perhaps I should go downstairs and take another look. ... no, it's not the tv, I just unplugged its cat5 from the jack and the issue didn't stop. weird. hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least. Any other thoughts? Those are BOOTP responses from your ISP's DHCP server to clients requesting an IP address. They have to be broadcast because the client does not yet have an IP address. Go yell at whoever set up your firewall to log these harmless packets that are a necessary part of dynamic IPv4 address assignment on a shared medium. SPT=67source port = BOOTP server DPT=68dest port = BOOTP client DST=255.255.255.255 dest address = Broadcast -- Bob Nichols NOSPAM is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
On Sat, Aug 18, 2012 at 09:20:56AM -0500, Robert Nichols wrote: On 08/16/2012 11:06 PM, fred smith wrote: On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote: On 08/16/12 7:01 PM, fred smith wrote: I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255. there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that? whois doesn't turn up anything on 10.21.72.1. Anybody got suggestions on how I'd track this down? Thanks! Aug 16 21:13:59 kernel: DROP4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:001SRC=10.21.72.1 DST=255.255.255.2551LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP1SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:001SRC=10.21.72.1 DST=255.255.255.2551LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP1SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:001SRC=10.21.72.1 DST=255.255.255.2551LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP1SPT=67 DPT=68 LEN=308 that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?. John, I'm willing to believe that, but I don't know where it would be coming from... not to mention that 10.x.x.x isn't valid on my LAN, it's in the 192.168.x.x range. I guess I could go around disconnecting things and see where it's coming from. other than some PCs, there is a networked printer, a LaCie RAID-1 network storage box, and a Television, which is allegedly turned off (but as we all know you don't turn them off, really, at least some part is still on). last time I looked at the TV config it was properly configured in 192.168.x.x, but perhaps I should go downstairs and take another look. ... no, it's not the tv, I just unplugged its cat5 from the jack and the issue didn't stop. weird. hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least. Any other thoughts? Those are BOOTP responses from your ISP's DHCP server to clients requesting an IP address. They have to be broadcast because the client does not yet have an IP address. Go yell at whoever set up your firewall to log these harmless packets that are a necessary part of dynamic IPv4 address assignment on a shared medium. SPT=67source port = BOOTP server DPT=68dest port = BOOTP client DST=255.255.255.255 dest address = Broadcast that implies that there are a WHOLE LOT of systems served by this provider that are doing dhcp requests, given the volume of these things I'm seeing. they're arriving at rates ranging from 4-5 a second, to 1-2 a minute, mostly in the one every 1-5 seconds rate. My firewall is filtering them, which is good. and while there are a lot of them it isn't enough to make a dent in my incoming bandwidth. Were I still on dialup or DSL, it might be. The firewall is the built-in firewall in my Asus router. the UI doesn't give much flexibility in what it logs (basically you can log none, dropped, accepted, or all--I've chosen to log dropped). Of course, I could open a shell on the router and hack the iptables rules, but I'd just as soon not. thanks for the reply! -- Fred Smith -- fre...@fcshome.stoneham.ma.us - Not everyone who says to me, 'Lord, Lord,' will enter the kingdom of heaven, but only he who does the will of my Father who is in heaven. -- Matthew 7:21 (niv) - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
On 08/18/2012 10:01 AM, fred smith wrote: On Sat, Aug 18, 2012 at 09:20:56AM -0500, Robert Nichols wrote: Those are BOOTP responses from your ISP's DHCP server to clients requesting an IP address. They have to be broadcast because the client does not yet have an IP address. Go yell at whoever set up your firewall to log these harmless packets that are a necessary part of dynamic IPv4 address assignment on a shared medium. SPT=67source port = BOOTP server DPT=68dest port = BOOTP client DST=255.255.255.255 dest address = Broadcast that implies that there are a WHOLE LOT of systems served by this provider that are doing dhcp requests, given the volume of these things I'm seeing. they're arriving at rates ranging from 4-5 a second, to 1-2 a minute, mostly in the one every 1-5 seconds rate. My firewall is filtering them, which is good. and while there are a lot of them it isn't enough to make a dent in my incoming bandwidth. Were I still on dialup or DSL, it might be. The firewall is the built-in firewall in my Asus router. the UI doesn't give much flexibility in what it logs (basically you can log none, dropped, accepted, or all--I've chosen to log dropped). Of course, I could open a shell on the router and hack the iptables rules, but I'd just as soon not. thanks for the reply! FWIW, I average about 9 of those per minute on my cable segment. That's 194000 packets counted by my own (non-logging!) iptables rule in the 15+ days this system has been up. -- Bob Nichols NOSPAM is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
On Fri, 17 Aug 2012, fred smith wrote: *snip* hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least. Any other thoughts? Any network problems, I run Wireshark network analyser in GUI mode. It helps identify issues on the network with meaningfull error and warning messages. HTH Keith --- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] --- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
On 08/16/12 9:24 PM, Bobby wrote: On 08/17/2012 12:20 AM, John R Pierce wrote: the MAC address prefix on that DHCP thing is 00:23:EB which is Cisco... and yes, ISP's frequently use private IP space for internal gateway networks. they aren't routable on the public internet, they don't have to be, they are just used for routes within the ISP's WAN. Yup looks like the ISP is checking to see who's on. you might just try something like... tcpdump -i eth0 -w udpdump.txt udp port 67 or udp port 68 and let that run for a few minutes, long enough to capture a few of these packets, then ctl-C it, and take that dumpfile and load it into wireshark (can do that on any system wireshark runs on) and see what it decodes the dhcp packets to actually be. for instance, this is a DHCP 'renew' request (from the LAN side of my gateway)... # tcpdump -i eth1 -vvv -n udp port 67 or udp port 68 tcpdump: listening on eth1 21:46:46.009596 192.168.0.136.bootpc 192.168.0.1.bootps: xid:0x9fb275f6 C:192.168.0.136 [|bootp] (ttl 128, id 31970, len 339) 21:46:46.013544 192.168.0.1.bootps 192.168.0.136.bootpc: xid:0x9fb275f6 C:192.168.0.136 Y:192.168.0.136 S:192.168.0.1 [|bootp] (ttl 64, id 16362, len 328) 2 packets received by filter 0 packets dropped by kernel wireshark will do a much better job explaining the packets than tcpdump does. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
fred smith fre...@fcshome.stoneham.ma.us wrote: On Thu, Aug 16, 2012 at 09:20:52PM -0700, John R Pierce wrote: this is on your eth0 side, I'm assuming thats the WAN side of your firewall/gateway ?if so, then yes, I imagine its something at your ISP, you might ask them what these are. Yup, that's the WAN side of the router. I'll go yell at them, probably tomorrow. I wouldn't bother. Depending on the demarc equipment used by your ISP and how they have their network configured, you can wind up seeing this kind of crap and there's bugger-all that you can do about it For example, with a cable modem, your assigned upstream segment might be network-A, but other people in your neighborhood might be on network-B, both serviced by the same RF carrier. You shouldn't see unicast traffic for your neighbors, but you could very well see broadcast (and dhcp is the most likely culprit). I know of a particular case where the ISP will assign statics out of one pool, dynamic IPs out of the other pool, a single modem will service machines out of both pools, and therefore you also see broadcast out of both pools. This isn't specific to cable. With both cable and DSL providers I've seen both the only-see-your-own-traffic situation and the see-your-neighbors-broadcast situation. It all depends on the equipment and the configuration. And when I mean configuration, I'm talking about for everyone in your node, if not for your whole city. So it's unlikely that your ISP will change it just for you. But if you still want to call them, fill your boots ... Devin -- He is a prime candidate for natural deselection. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
On Fri, Aug 17, 2012 at 09:18:01PM -0600, Devin Reade wrote: fred smith fre...@fcshome.stoneham.ma.us wrote: On Thu, Aug 16, 2012 at 09:20:52PM -0700, John R Pierce wrote: this is on your eth0 side, I'm assuming thats the WAN side of your firewall/gateway ?if so, then yes, I imagine its something at your ISP, you might ask them what these are. Yup, that's the WAN side of the router. I'll go yell at them, probably tomorrow. I wouldn't bother. thanks for the info. I didn't really expect to get any swift action, I kinda figured it is what it is, like it or lump it would be their response. but I still might drop them an email with some log excerpts just to see how they respond. I'm retired, I have plenty of time! :) Depending on the demarc equipment used by your ISP and how they have their network configured, you can wind up seeing this kind of crap and there's bugger-all that you can do about it For example, with a cable modem, your assigned upstream segment might be network-A, but other people in your neighborhood might be on network-B, both serviced by the same RF carrier. You shouldn't see unicast traffic for your neighbors, but you could very well see broadcast (and dhcp is the most likely culprit). I know of a particular case where the ISP will assign statics out of one pool, dynamic IPs out of the other pool, a single modem will service machines out of both pools, and therefore you also see broadcast out of both pools. This isn't specific to cable. With both cable and DSL providers I've seen both the only-see-your-own-traffic situation and the see-your-neighbors-broadcast situation. It all depends on the equipment and the configuration. And when I mean configuration, I'm talking about for everyone in your node, if not for your whole city. So it's unlikely that your ISP will change it just for you. But if you still want to call them, fill your boots ... Devin -- He is a prime candidate for natural deselection. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Fred Smith -- fre...@fcshome.stoneham.ma.us - For him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy--to the only God our Savior be glory, majesty, power and authority, through Jesus Christ our Lord, before all ages, now and forevermore! Amen. - Jude 1:24,25 (niv) - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
On 08/16/12 7:01 PM, fred smith wrote: I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255. there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that? whois doesn't turn up anything on 10.21.72.1. Anybody got suggestions on how I'd track this down? Thanks! Aug 16 21:13:59 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP 1SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP 1SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP 1SPT=67 DPT=68 LEN=308 that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote: On 08/16/12 7:01 PM, fred smith wrote: I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255. there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that? whois doesn't turn up anything on 10.21.72.1. Anybody got suggestions on how I'd track this down? Thanks! Aug 16 21:13:59 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP 1SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP 1SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP 1SPT=67 DPT=68 LEN=308 that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?. John, I'm willing to believe that, but I don't know where it would be coming from... not to mention that 10.x.x.x isn't valid on my LAN, it's in the 192.168.x.x range. I guess I could go around disconnecting things and see where it's coming from. other than some PCs, there is a networked printer, a LaCie RAID-1 network storage box, and a Television, which is allegedly turned off (but as we all know you don't turn them off, really, at least some part is still on). last time I looked at the TV config it was properly configured in 192.168.x.x, but perhaps I should go downstairs and take another look. ... no, it's not the tv, I just unplugged its cat5 from the jack and the issue didn't stop. weird. hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least. Any other thoughts? -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- --- Under no circumstances will I ever purchase anything offered to me as the result of an unsolicited e-mail message. Nor will I forward chain letters, petitions, mass mailings, or virus warnings to large numbers of others. This is my contribution to the survival of the online community. --Roger Ebert, December, 1996 - The Boulder Pledge - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
On 08/16/12 9:06 PM, fred smith wrote: On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote: On 08/16/12 7:01 PM, fred smith wrote: I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255. there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that? whois doesn't turn up anything on 10.21.72.1. Anybody got suggestions on how I'd track this down? Thanks! Aug 16 21:13:59 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP 1SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP 1SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP 1SPT=67 DPT=68 LEN=308 that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?. John, I'm willing to believe that, but I don't know where it would be coming from... not to mention that 10.x.x.x isn't valid on my LAN, it's in the 192.168.x.x range. I guess I could go around disconnecting things and see where it's coming from. other than some PCs, there is a networked printer, a LaCie RAID-1 network storage box, and a Television, which is allegedly turned off (but as we all know you don't turn them off, really, at least some part is still on). last time I looked at the TV config it was properly configured in 192.168.x.x, but perhaps I should go downstairs and take another look. ... no, it's not the tv, I just unplugged its cat5 from the jack and the issue didn't stop. weird. hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least. Any other thoughts? the MAC address prefix on that DHCP thing is 00:23:EB which is Cisco... and yes, ISP's frequently use private IP space for internal gateway networks. they aren't routable on the public internet, they don't have to be, they are just used for routes within the ISP's WAN. this is on your eth0 side, I'm assuming thats the WAN side of your firewall/gateway ?if so, then yes, I imagine its something at your ISP, you might ask them what these are. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
On 08/17/2012 12:20 AM, John R Pierce wrote: the MAC address prefix on that DHCP thing is 00:23:EB which is Cisco... and yes, ISP's frequently use private IP space for internal gateway networks. they aren't routable on the public internet, they don't have to be, they are just used for routes within the ISP's WAN. Yup looks like the ISP is checking to see who's on. -- Bobby ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: what are all these probes from my firewall log????
On Thu, Aug 16, 2012 at 09:20:52PM -0700, John R Pierce wrote: On 08/16/12 9:06 PM, fred smith wrote: On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote: On 08/16/12 7:01 PM, fred smith wrote: I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255. there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that? whois doesn't turn up anything on 10.21.72.1. Anybody got suggestions on how I'd track this down? Thanks! Aug 16 21:13:59 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP 1SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP 1SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP 4DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 1SRC=10.21.72.1 DST=255.255.255.255 1LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP 1SPT=67 DPT=68 LEN=308 that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?. John, I'm willing to believe that, but I don't know where it would be coming from... not to mention that 10.x.x.x isn't valid on my LAN, it's in the 192.168.x.x range. I guess I could go around disconnecting things and see where it's coming from. other than some PCs, there is a networked printer, a LaCie RAID-1 network storage box, and a Television, which is allegedly turned off (but as we all know you don't turn them off, really, at least some part is still on). last time I looked at the TV config it was properly configured in 192.168.x.x, but perhaps I should go downstairs and take another look. ... no, it's not the tv, I just unplugged its cat5 from the jack and the issue didn't stop. weird. hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least. Any other thoughts? the MAC address prefix on that DHCP thing is 00:23:EB which is Cisco... and yes, ISP's frequently use private IP space for internal gateway networks. they aren't routable on the public internet, they don't have to be, they are just used for routes within the ISP's WAN. this is on your eth0 side, I'm assuming thats the WAN side of your firewall/gateway ?if so, then yes, I imagine its something at your ISP, you might ask them what these are. Yup, that's the WAN side of the router. I'll go yell at them, probably tomorrow. thanks guys! -- Fred Smith -- fre...@fcshome.stoneham.ma.us - And he will be called Wonderful Counselor, Mighty God, Everlasting Father, Prince of Peace. Of the increase of his government there will be no end. He will reign on David's throne and over his kingdom, establishing and upholding it with justice and righteousness from that time on and forever. --- Isaiah 9:7 (niv) -- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
