On 11/01/2012 07:19 PM, attelas wrote: > Hi Victor, > > Sure I can post an example: see below. > > [snipet of /var/run/firewall.log] > Nov 1 17:54:47 localhost kernel: [508296.522564] vrmr: DROP spoof > iana-0/8 IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:02:26:44:a5:d4:81:08:00 > SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 > PROTO=UDP SPT=68 DPT=67 LEN=556 > Nov 1 17:54:49 localhost kernel: [508298.528577] vrmr: DROP spoof > iana-0/8 IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:02:26:44:a5:d4:81:08:00 > SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 > PROTO=UDP SPT=68 DPT=67 LEN=556 > [/snipet of /var/run/firewall.log] > > Default situation in Traffic.log (I deleted the rule AND service > 'dhcp_spoof' in order to show the original state) > [snipet of /var/log/vuurmuur/traffic.log] > Nov 1 18:31:05: DROP service 68->67(udp) from 0.0.0.0 to > 255.255.255.255, prefix: "spoof iana-0/8" (in: eth2 > 0.0.0.0(02:26:44:a5:d4:81):68 -> 255.255.255.255(ff:ff:ff:ff:ff:ff):67 > UDP len:576 ttl:64) > Nov 1 18:31:07: DROP service 68->67(udp) from 0.0.0.0 to > 255.255.255.255, prefix: "spoof iana-0/8" (in: eth2 > 0.0.0.0(02:26:44:a5:d4:81):68 -> 255.255.255.255(ff:ff:ff:ff:ff:ff):67 > UDP len:576 ttl:64) > [/snipet of /var/log/vuurmuur/traffic.log] > > For the sake of completeness: the only effect the rule has in > Traffic.log is that afterwards the rule replaces '68->67(udp)' with > 'dhcp_spoof'. > [snipet of /var/log/vuurmuur/traffic.log] > Nov 1 18:05:01: DROP service dhcp_spoof from 0.0.0.0 to > 255.255.255.255, prefix: "spoof iana-0/8" (in: eth2 > 0.0.0.0(02:26:44:a5:d4:81):68 -> 255.255.255.255(ff:ff:ff:ff:ff:ff):67 > UDP len:576 ttl:64) > Nov 1 18:05:03: DROP service dhcp_spoof from 0.0.0.0 to > 255.255.255.255, prefix: "spoof iana-0/8" (in: eth2 > 0.0.0.0(02:26:44:a5:d4:81):68 -> 255.255.255.255(ff:ff:ff:ff:ff:ff):67 > UDP len:576 ttl:64) > [/snipet of /var/log/vuurmuur/traffic.log] > > Regarding the fact that these messages come in bundles of 6 messages > (2-3 seconds apart) followed by a period of silence of 5-6 seconds, the > logfile is rapidly filled. Hence the name 'flooding'.
You could try enabling "dhcp server" and/or "dhcp client" in the network your eth2 interface belongs to. ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
