From owner-freebsd-questions  Sat Mar 24  8: 9:23 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from clmboh1-smtp3.columbus.rr.com (clmboh1-smtp3.columbus.rr.com [65.24.0.112])
	by hub.freebsd.org (Postfix) with ESMTP id 6CE8937B71D
	for <questions@FreeBSD.ORG>; Sat, 24 Mar 2001 08:09:19 -0800 (PST)
	(envelope-from wmoran@iowna.com)
Received: from iowna.com (dhcp065-024-023-038.columbus.rr.com [65.24.23.38])
	by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id f2OG6ZH06478;
	Sat, 24 Mar 2001 11:06:35 -0500 (EST)
Message-ID: <3ABCC6D8.DAC386C3@iowna.com>
Date: Sat, 24 Mar 2001 11:10:00 -0500
From: Bill Moran <wmoran@iowna.com>
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Jim Freeze <jim@freeze.org>
Cc: questions@FreeBSD.ORG
Subject: Re: Meaging of Security Check?
References: <Pine.BSF.4.32.0103240744350.32267-100000@www.stelesys.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Jim Freeze wrote:
> 
> Hi:
> 
> I received the following security check and was wondering what it means:
> 
> eeyore1 security check output
> 
> eeyore1 kernel log messages:
> > x3f8-0x3ff irq 4 flags 0x10 on isa
> > ipfw: 40 Accept TCP 157.95.47.65:776 24.9.218.175:22 in via vx0
> > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0
> > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0
> >  ...where the above is repeated for about 100 lines
> 
> I looked up port 67 in /etc/services and it says:
> 
> bootps           67/tcp    dhcps        #Bootstrap Protocol Server
> bootps           67/udp    dhcps        #Bootstrap Protocol Server
> 
> nslookup says:
> 
> % nslookup 24.2.7.70
> Server:  proxy1.lxintn1.ky.home.com
> Address:  24.5.116.15
> 
> Name:    lh1.rdc1.tn.home.com
> Address:  24.2.7.70
> 
> Can someone explain what is happening here?

(on a guess) it looks like you're getting broadcast traffic from some
systems on your network that do a network boot. That would be normal, as
the system has to broadcast its initial bootps request (since it doesn't
know who it's boot server will be yet) Probably a like in your firewall
rules to deny incomming on port 67 would be a little nicer, but overall
I wouldn't worry about it. The .home.com people, on the other hand,
should feel stupid for letting that kind of traffic reach your level.

-Bill

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message