[Leaf-user] Re: very large /var/log/wtmp
Looks like this did it. My inittab had both tty1 & 2 uncommented under the getty invocation section. I commented them out around 10 hours ago, and so far my wtmp file is a respectable size. I'll keep my eye on it for the next few days. Thanks again. Rich >Richard Burt wrote: >> >> OK, I took a look at the man pages for last. With no arguments, it should >> tell me all logins from the wtmp file. Here is what I get: >> >> # last >> USER TTY PID TIMEON FROM >> reboot ~ 0 48452.2.19 >A standard entry - though with the size of your file, it should go on for pages and pages >> Figuring it has to do with logins, I also took a look at auth.log (also >> pretty big). I think the answer is here, but I don't know what to do to fix >> it. It is full of these. >> >> Dec 7 06:45:12 firewall /sbin/getty[11929]: /dev/tty1: cannot open as >> standard input: Operation not supported by device >> Dec 7 06:45:13 firewall /sbin/getty[11930]: /dev/tty2: cannot open as >> standard input: Operation not supported by device >> >> My box does not have any serial ports, so is there something I can do to >> stop it from trying to open them? >Rather surprising that it's trying to do this at all. However, try the following: >Check your /etc/inittab for entries that mention these serial ports; then comment them out. Then find the process id of "init" using "ps | grep init" and do "kill -HUP " __ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Silent_Deny by destination address ???
I want to silently deny all traffic with destination 255.255.255.255, regardless of source. This is in response to: input DENY eth0 PROTO=17 12.242.20.34:67 255.255.255.255:68 Is there any protocol or destination port for which these should *not* be denied? Yes, I can write the ipchains rule; but, *where* should it go? I'm really trying to avoid editing: /etc/ipfilter.conf Is this a job for: IPCH_IN=/etc/ipchains.input What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein multicron-p updatetime() bug
> I recently noticed the clock was incorrect on one of my > Dachstein firewalls even though I have $lrp_DATE_SERVER > set to a valid time server. After a bit of digging, it > looks like the > > if [ -n "`ps axc | grep xntpd`" ] > > test on line 147 of /etc/multicron-p in updatetime() > was true when it shouldn't have been. A match on the > grep process was the culprit: > > # ps axc | grep xntpd >6116 root Rgrep xntpd > # echo $? >0 Looks like a bug...apparently caused by a race condition between the ps command and the shell spawning the grep command. > I've resolved the problem with > > if [ -n "`ps axc | grep -v grep | grep xntpd`" ]; then > > for now. For the shell script gurus out there, is there a > more elegant fix, preferably one that would work even if the > grep "-v" flag wasn't available? There's always: ps axc | sed /grep/d | grep xntpd -or- ps axc | sed -n '/sed/d;/xntpd/p' I'll stick this in the bug list for the next release, and see if anything more elegant pops to mind later... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Silent_Deny by destination address ???
> Is this a job for: > > IPCH_IN=/etc/ipchains.input > > What do you think? That's what it's there for...use the -I switch to get your rule applied prior to the standard blocking (and logging) rules. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] What is This
"Sean E. Covel" wrote: > > Is this what they call FireWalking? This is my welcome to the new ATTBI > network. Got more of these than Nimda or Code Red hits. Goes on for > pages. 1888 today. Any thoughts? It looks annoying at first glance. Are you using dhcp? Just wondering. If so, did you have to enter c1240165-a as your hostname into /etc/hosts or /etc/hostname or your /etc/rc.config.d/dhcp conf file? All these are blocked by rule #42. What is that rule? These log messages are from strange hosts. 80% of them don't resolve to a real hostname. All the packets you listed are tcp packets with no SYN flag, meaning they are theoretically responses to some tcp dns request your machine made. Because they are all response packets, I'm not sure what's going on. I don't know why you're getting responses from so many odd computers. The other strange thing, is that I would expect your firewall rules to allow response to outgoing TCP DNS requests. That's why I want to see rule 42. ipchains -L > /tmp/myrules vi /tmp/myrules, find line 42, and post it. Your custom cd boot only sounds nifty. Post a mini-HOWTO when you get it done. Matthew > Dec 8 20:50:12 c1240165-a kernel: Packet log: input DENY eth0 PROTO=6 > 194.205.125.26:32881 12.243.228.133:53 L=44 S=0x00 I=0 F=0x T=242 > (#42) > Dec 8 20:50:12 c1240165-a kernel: Packet log: input DENY eth0 PROTO=6 > 216.220.39.42:59118 12.243.228.133:53 L=44 S=0x00 I=0 F=0x T=236 > (#42) > Dec 8 20:50:12 c1240165-a kernel: Packet log: input DENY eth0 PROTO=6 > 64.56.174.186:30087 12.243.228.133:53 L=44 S=0x00 I=0 F=0x T=238 > (#42) > Dec 8 20:50:12 c1240165-a kernel: Packet log: input DENY eth0 PROTO=6 > 202.139.133.129:53767 12.243.228.133:53 L=44 S=0x00 I=0 F=0x T=235 > (#42) > Dec 8 20:50:12 c1240165-a kernel: Packet log: input DENY eth0 PROTO=6 > 203.194.166.182:51122 12.243.228.133:53 L=44 S=0x00 I=0 F=0x T=231 > (#42) > Dec 8 20:50:12 c1240165-a kernel: Packet log: input DENY eth0 PROTO=6 > 62.26.119.34:58275 12.243.228.133:53 L=44 S=0x00 I=0 F=0x T=242 > (#42) > Dec 8 20:50:12 c1240165-a kernel: Packet log: input DENY eth0 PROTO=6 > 194.213.64.150:21170 12.243.228.133:53 L=44 S=0x00 I=0 F=0x T=237 > (#42) > Dec 8 20:50:12 c1240165-a kernel: Packet log: input DENY eth0 PROTO=6 > 203.208.128.70:12351 12.243.228.133:53 L=44 S=0x00 I=0 F=0x T=242 > (#42) > > BTW, I just switch from ESB2 to Dachstein CD. Went S smooth! > Nice to have MAJOR storage, and FAST boots. Charles, you are a GOD. > The partial backup scheme was not too confusing. Only took 3 tries to > get the partial and destination settings correct. I added PortSentry > (on my floppy backup). I think once I'm happy with the setup, I'm going > to do a full backup of everything onto diskette, then dump the CD to a > hard drive. Overlay the HD with the diskette backups, and burn a new > CD. The point is a completely custom setup that boots CD only! Nice > job! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] What is This
Victor McAllisteer wrote: > > This is some crazy method of geographic load balancing. A whole lot of > boxes use TCP port 53 simultaneously to find out what part of the world. Victor, wouldn't the load balancing we've seen over the last months that hits port 53 by SYN traffic? Why are all his log entries refering to non-SYN traffic, i.e. responses? Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein multicron-p updatetime() bug
Charles Steinkuehler wrote: [snip] > There's always: > ps axc | sed /grep/d | grep xntpd > -or- > ps axc | sed -n '/sed/d;/xntpd/p' I like the Oxygen ps command, because I can type ps h -C xntpd and it will print out only the xntpd line if it's there, and nothing otherwise. Sort of like 'which'. Regards, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Using pppoe
I have had cable access (using DHCP) for a year and my IP address has changed only once. This is very convenient, considering I often access my home network from a RW. I don't need DNS to resolve the address, I hard code it. I now have to use ADSL access using PPPoE and dynamic address. My question is: are PPPoE addresses as stable? Is there the equivalent of a "lease". Is there a trick I can use to keep the address (e.g. ping some address once a minute)? Is there another way that I can tolerate changing addresses by reresolving the address (dynamic DNS???). TIA Keith Laidlaw Manager of Engineering Dakins Engineering Group Ltd. tel: (905) 814-6024 fax: (905) 814-6029 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Using pppoe
Really depends on your ISP on how long your alowed to keep a leased IP. For example my ISP (Pacific Bell, Monterey PacBell district, California) doesnt change my IP address unless I reboot my router and even then I have a 50-50 chance of receiving the same IP address as before, but I know of other ISP's (mostly European it seams) forceably change your IP address every few hours (I had the same IP once for 3 months and the only reason it changed was because the entire house lost power). Dachstein and EigerSteinBETA2 PPPoE v.0.4 both support non-demand dial PPPoE so you should be able to keep a fairly static IP address, providing you dont have a over agressive ISP. - Original Message - From: "Keith Laidlaw" <[EMAIL PROTECTED]> To: "LEAF" <[EMAIL PROTECTED]>; "FreeS/Wan" <[EMAIL PROTECTED]> Sent: Sunday, December 09, 2001 12:54 PM Subject: [Leaf-user] Using pppoe > I have had cable access (using DHCP) for a year and > my IP address has changed only once. This is very > convenient, considering I often access my home network > from a RW. I don't need DNS to resolve the address, I > hard code it. > > I now have to use ADSL access using PPPoE and dynamic > address. My question is: are PPPoE addresses as stable? > > Is there the equivalent of a "lease". Is there a trick > I can use to keep the address (e.g. ping some address > once a minute)? Is there another way that I can tolerate > changing addresses by reresolving the address (dynamic > DNS???). > > TIA > > Keith Laidlaw > Manager of Engineering > Dakins Engineering Group Ltd. > tel: (905) 814-6024 > fax: (905) 814-6029 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Using pppoe
Hi, I use dyndns.org http://www.dyndns.org/ and ez-ipupdate project http://www.gusnet.cx/proj/ez-ipupdate/ leaf package http://leaf.sourceforge.net/devel/sboulter because here in Belgium, ip addresses are very volatile ( at least ADSL/PPPOE ) regards, Etienne - Original Message - From: "Kenneth Hadley" <[EMAIL PROTECTED]> To: "Keith Laidlaw" <[EMAIL PROTECTED]> Cc: "[LEAF-user]" <[EMAIL PROTECTED]> Sent: Sunday, December 09, 2001 10:20 PM Subject: Re: [Leaf-user] Using pppoe > Really depends on your ISP on how long your alowed to keep a leased IP. > For example my ISP (Pacific Bell, Monterey PacBell district, California) > doesnt change my IP address unless I reboot my router and even then I have a > 50-50 chance of receiving the same IP address as before, but I know of other > ISP's (mostly European it seams) forceably change your IP address every few > hours (I had the same IP once for 3 months and the only reason it changed > was because the entire house lost power). > Dachstein and EigerSteinBETA2 PPPoE v.0.4 both support non-demand dial PPPoE > so you should be able to keep a fairly static IP address, providing you dont > have a over agressive ISP. > > > - Original Message - > From: "Keith Laidlaw" <[EMAIL PROTECTED]> > To: "LEAF" <[EMAIL PROTECTED]>; "FreeS/Wan" > <[EMAIL PROTECTED]> > Sent: Sunday, December 09, 2001 12:54 PM > Subject: [Leaf-user] Using pppoe > > > > I have had cable access (using DHCP) for a year and > > my IP address has changed only once. This is very > > convenient, considering I often access my home network > > from a RW. I don't need DNS to resolve the address, I > > hard code it. > > > > I now have to use ADSL access using PPPoE and dynamic > > address. My question is: are PPPoE addresses as stable? > > > > Is there the equivalent of a "lease". Is there a trick > > I can use to keep the address (e.g. ping some address > > once a minute)? Is there another way that I can tolerate > > changing addresses by reresolving the address (dynamic > > DNS???). > > > > TIA > > > > Keith Laidlaw > > Manager of Engineering > > Dakins Engineering Group Ltd. > > tel: (905) 814-6024 > > fax: (905) 814-6029 > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] What is This
Matthew Schalit wrote: > [ snip ] > All these are blocked by rule #42. What is that rule? > These log messages are from strange hosts. 80% of them don't > resolve to a real hostname. All the packets you listed are > tcp packets with no SYN flag, meaning they are theoretically > responses to some tcp dns request your machine made. Because > they are all response packets, I'm not sure what's going on. > I don't know why you're getting responses from so many odd > computers. The other strange thing, is that I would expect > your firewall rules to allow response to outgoing TCP DNS requests. > That's why I want to see rule 42. > >ipchains -L > /tmp/myrules >vi /tmp/myrules, find line 42, and post it. Actually, I like this -- and have added it to weblet's: /var/sh-www/cgi-bin/viewfw : ipchains -L -nv --line-numbers This automatically lists line numbers . . . -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Silent_Deny by destination address ???
At 01:03 PM 12/9/01 -0600, Michael D. Schleif wrote: > >I want to silently deny all traffic with destination 255.255.255.255, >regardless of source. > >This is in response to: > > input DENY eth0 PROTO=17 12.242.20.34:67 255.255.255.255:68 > >Is there any protocol or destination port for which these should *not* >be denied? ... It depends on how your router gets its external address. The example you gave is a dhcp server replying to an (as yet) unconfigured dhcp client. If you need to get your external address via dhcp, you need to allow the very example you provided (assuming eth0 is external). Conversely, if your router acts as a dhcp server, it needs to accept the corresponding sorts of requests from dhcp clients on the relevant interface(s). I believe the Windows sharing services -- the ones that run on port 137-139 -- make some use of broadcast addresses as well. I don't run them here so cannot recall details. Unless you want to respond to broadcast pings (and why would you?), I can't think of any other common services that use broadcast IP packets. -- "Never tell me the odds!"--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] SYN packets
Do SYN packets have any particular use? Is there a way to deny any and all SYN packets altogether?
Re: [Leaf-user] Silent_Deny by destination address ???
Ray Olszewski wrote: > > At 01:03 PM 12/9/01 -0600, Michael D. Schleif wrote: > > > >I want to silently deny all traffic with destination 255.255.255.255, > >regardless of source. > > > >This is in response to: > > > > input DENY eth0 PROTO=17 12.242.20.34:67 255.255.255.255:68 > > > >Is there any protocol or destination port for which these should *not* > >be denied? > ... > > It depends on how your router gets its external address. The example you > gave is a dhcp server replying to an (as yet) unconfigured dhcp client. If > you need to get your external address via dhcp, you need to allow the very > example you provided (assuming eth0 is external). Yes; but, in the case of Dachstein, the rules are *not* in place until after I negotiate an address for eth0 ;> > Conversely, if your router acts as a dhcp server, it needs to accept the > corresponding sorts of requests from dhcp clients on the relevant interface(s). > > I believe the Windows sharing services -- the ones that run on port 137-139 > -- make some use of broadcast addresses as well. I don't run them here so > cannot recall details. > > Unless you want to respond to broadcast pings (and why would you?), I can't > think of any other common services that use broadcast IP packets. This entry in /etc/ipchains.input appears to do as I need: $IPCH -I input -j DENY -p all -s 0/0 -d 255.255.255.255 -i $EXTERN_IF One thing that concerns me is this statement from man ipchains: ``The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0.'' Do I need to specify /32? At this point, I do not know what else can come to me for 255.255.255.0/24 -- so, I'm trying to be careful in what I deny. If 255.255.255.255 is noise, regardless of port, protocol & source, then I'm all for keeping it out of my logs . . . What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SYN packets
> Mike Branco wrote: > > Do SYN packets have any particular use? Yes, a packet that has the SYN flag set in it is the first packet of a connection. When you see a packet with SYN set, it is coming from someone who's attempting to make a new connection to your computer. > Is there a way to deny any and all SYN packets altogether? ipchains -A input -j DENY -i eth0 -p tcp ! -y -l Meaning: - -A input = add this rule to the input chain -j DENY= deny all packets which are -i eth0= coming in on eth0, the external nic -p tcp = and the packet is tcp ! -y = and the packet has the SYN flag set, -l = then log these denies to the syslog. But you probably wouldn't want to do that, unless you never expect inbound new tcp connections (You get those doing outbound active ftp). Regards, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] What is This
> All these are blocked by rule #42. What is that rule? > These log messages are from strange hosts. 80% of them don't > resolve to a real hostname. All the packets you listed are > tcp packets with no SYN flag, meaning they are theoretically > responses to some tcp dns request your machine made. Because > they are all response packets, I'm not sure what's going on. > I don't know why you're getting responses from so many odd > computers. The other strange thing, is that I would expect > your firewall rules to allow response to outgoing TCP DNS requests. > That's why I want to see rule 42. > >ipchains -L > /tmp/myrules >vi /tmp/myrules, find line 42, and post it. Here is the rule. My ruleset is standard Dachstein with only a couple of additions: 422795 124K DENY all l- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 n/a Searching the Internet turns up a number of scripts that scan port 53 for Bind. Let me know what you think. Sean ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Silent_Deny by destination address ???
On Sunday 09 December 2001 16:58, you wrote: > Conversely, if your router acts as a dhcp server, it needs to > accept the corresponding sorts of requests from dhcp clients on the > relevant interface(s). Yep, but they're not deny'ed on the LAN side. > I believe the Windows sharing services -- the ones that run on port > 137-139 -- make some use of broadcast addresses as well. I don't > run them here so cannot recall details. These are the NetBIOS ports, the broadcast address (again on the LAN) would be something like 192.168.1.255:139. Again the rule won't deny this. > Unless you want to respond to broadcast pings (and why would you?), > I can't think of any other common services that use broadcast IP > packets. 255.255.255.255 is most likely an Class A DHCP request. For some strange reason, since @HOME has been having random outages, reports of tons of these requests have been made all over. Funny thing is the bulk of the ones I've been getting are from a private class 10.6.1.x address. I just figured someone jacked up their Win2K config seems to happen often around here. Aren't the /32 masks reserved for gov & university networks??? ~Lynn Avants [EMAIL PROTECTED] -- if linux isn't the answer, you've got the wrong question ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] What is This
Matthew Schalit wrote: > Victor McAllisteer wrote: > > > > > This is some crazy method of geographic load balancing. A whole lot of > > boxes use TCP port 53 simultaneously to find out what part of the world. > > Victor, wouldn't the load balancing we've seen over the > last months that hits port 53 by SYN traffic? Why > are all his log entries refering to non-SYN traffic, > i.e. responses? > > Matthew There was a lot of list traffic back in May on the LRP list concerning these port 53 weirdness. My understanding is that tcp port 53 to port 53 is usually a zone transfer. Leaf boxes running tiny DNS will not respond to tcp queries. I believe a number of list members analyzed this stuff using resources beyond just the log entries. It comes all at once from many different IPs. The same IPs always show up repeatedly in the space of a few seconds.. They fill the logs - often with 600 DENYs in a period of 10 seconds or less. Someone traced the ownership of the machines. Apparently it is some sort of proprietary method of determining which machine you are closest to geographically so they can serve up some pop up ad efficiently (for them). DENY (no response) doesn't seem to prevent the pop up ads. Perhaps if they can't get you to send them back a packet, they end up serving the pop up from some default machine. Those who pay for this "technology" should have their head examined. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] What is This
Victor, I believe you are correct. After reading the banter going back and forth, and recalling previous posts (about that DAMN X10 popup) I reviewed my log. The log entries are bursts of hundreds in the same few seconds. Must have been while I was on MyYahoo. I remeber getting then X10 and Casino popups. Is there anyway we can reverse "SPAM" them to stop this ridiculus traffic? Read this: http://www.cisco.com/warp/public/cc/pd/cxsr/dd/tech/dd_wp.htm This and another appliance called BIG/Ip could very well be the source of this traffic. Here is another one about an ISP using this technologu... http://lists.insecure.org/incidents/2001/May/0096.html And then to close the loop, The above ISP is using the cisco product... http://lists.insecure.org/incidents/2001/May/0159.html Nice huh? Sean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Victor McAllisteer Sent: Sunday, December 09, 2001 8:30 PM To: leaf-user Subject: Re: [Leaf-user] What is This Matthew Schalit wrote: > Victor McAllisteer wrote: > > > > > This is some crazy method of geographic load balancing. A whole lot of > > boxes use TCP port 53 simultaneously to find out what part of the world. > > Victor, wouldn't the load balancing we've seen over the > last months that hits port 53 by SYN traffic? Why > are all his log entries refering to non-SYN traffic, > i.e. responses? > > Matthew There was a lot of list traffic back in May on the LRP list concerning these port 53 weirdness. My understanding is that tcp port 53 to port 53 is usually a zone transfer. Leaf boxes running tiny DNS will not respond to tcp queries. I believe a number of list members analyzed this stuff using resources beyond just the log entries. It comes all at once from many different IPs. The same IPs always show up repeatedly in the space of a few seconds.. They fill the logs - often with 600 DENYs in a period of 10 seconds or less. Someone traced the ownership of the machines. Apparently it is some sort of proprietary method of determining which machine you are closest to geographically so they can serve up some pop up ad efficiently (for them). DENY (no response) doesn't seem to prevent the pop up ads. Perhaps if they can't get you to send them back a packet, they end up serving the pop up from some default machine. Those who pay for this "technology" should have their head examined. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] logging
How can I keep denied packes with the 255.255.255.255 destination address from being logged? smime.p7s Description: application/pkcs7-signature
Re: [Leaf-user] logging
Brian Camp wrote: > > How can I keep denied packes with the 255.255.255.255 destination address > from being logged? If you are using Dachstein, or some other distribution that understands this supplemental file, this entry in /etc/ipchains.input appears to do as you need: $IPCH -I input -j DENY -p all -s 0/0 -d 255.255.255.255 -i $EXTERN_IF -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Silent_Deny by destination address ???
Depending on the service provider the 10.x.x.x addresses could simply be the modems (as that is the usual IP scheme for @home modems - not nics) going through misconifgured ISP routers or something like that if it seems to be a problem for lots of customers. S >From: guitarlynn <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Re: [Leaf-user] Silent_Deny by destination address ??? >Date: Sun, 9 Dec 2001 18:47:38 -0600 > >On Sunday 09 December 2001 16:58, you wrote: > > > Conversely, if your router acts as a dhcp server, it needs to > > accept the corresponding sorts of requests from dhcp clients on the > > relevant interface(s). > >Yep, but they're not deny'ed on the LAN side. > > > I believe the Windows sharing services -- the ones that run on port > > 137-139 -- make some use of broadcast addresses as well. I don't > > run them here so cannot recall details. > >These are the NetBIOS ports, the broadcast address (again on the LAN) >would be something like 192.168.1.255:139. Again the rule won't deny >this. > > > Unless you want to respond to broadcast pings (and why would you?), > > I can't think of any other common services that use broadcast IP > > packets. > >255.255.255.255 is most likely an Class A DHCP request. For some >strange reason, since @HOME has been having random outages, >reports of tons of these requests have been made all over. Funny >thing is the bulk of the ones I've been getting are from a private >class 10.6.1.x address. I just figured someone jacked up their Win2K >config seems to happen often around here. > >Aren't the /32 masks reserved for gov & university networks??? > >~Lynn Avants >[EMAIL PROTECTED] > > > >-- >if linux isn't the answer, you've got the wrong question > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
