From owner-freebsd-questions Mon Mar 24 7:52:11 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 542AF37B401 for ; Mon, 24 Mar 2003 07:52:07 -0800 (PST) Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AF1943F75 for ; Mon, 24 Mar 2003 07:52:06 -0800 (PST) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV with ESMTP; Mon, 24 Mar 2003 15:51:43 +0000 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 18xUDY-0002kg-00; Mon, 24 Mar 2003 15:50:32 +0000 Date: Mon, 24 Mar 2003 15:50:32 +0000 (GMT) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Darryl Hoar Cc: freebsd-questions Subject: Re: help with firewall log message In-Reply-To: <008401c2f21a$edbbbb10$0701a8c0@darryl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-25.3 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REPLY_WITH_QUOTES,USER_AGENT_PINE autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 24 Mar 2003, Darryl Hoar wrote: > Greetings, > I am running 4.4-stable on my firewall. > I have set it up using www.schlacter.com > as a guide. > > I keep getting this message very minute in my > firewall log. I need to decipher this and if its > normal, quit logging it as it's filling up my > firewall log. > > here's the entry: > > > Mar 24 08:06:43 darryl ipmon[98]: 08:06:42.283459 xl0 @0:3 b > 10.0.0.1,router -> > 10.0.0.255,router PR udp len 20 72 IN > > what does it mean ? It's an RIP announcement. > Also, is there a good reference that would allow a user > to break down the message and understand it ? Probably something on the ipfilter web site. The log format looks like date, machine, process, accurate timestamp, interface, rule, action taken (from the source), then the 10.0.0.1,router bit which is the packet detail. In this case "router" is udp port 520 (look it up in /etc/services) broadcasting (that's the 10.0.0.255). The protocol's udp and the rest are more packet details. Your router is probably generating these every 30 seconds or so. You can either configure it to not do so or ignore this log line. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Donate a signature: http://ioctl.org/jan/sig-submit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message