Date: Tue, 5 Apr 2005 00:29:57 +0200 From: Danny Pansters <danny@ricin.com> To: freebsd-questions@freebsd.org Subject: Re: ipflog entries? Message-ID: <200504050029.57829.danny@ricin.com> In-Reply-To: <4251BA47.2030901@gmail.com> References: <4251BA47.2030901@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 05 April 2005 00:05, Robert Marella wrote: > Greetings > > My daily mail on my firewall (5.3-rel-p4) has always shown many (> > 10000) blocks by my blocking rule > "block in quick on em0 from 10.0.0.0/8 to any". Obviously I'm using > ipf/ipnat. > > So, for education, today I enabled "log" for a short time on that rule. > Within a few minutes I logged over twenty > attempts from the same address. (Sample below, text attached) > > 04/04/2005 11:33:41.034653 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 > PR udp len 20 337 IN > 04/04/2005 11:33:41.973120 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 > PR udp len 20 344 IN > 04/04/2005 11:33:57.532249 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 > PR udp len 20 337 IN > 04/04/2005 11:33:58.963415 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 > PR udp len 20 344 IN > > Ports 67 shows dhcps and 68 shows dhcpc in /etc/services. > > em0 is connected to my roadrunner cable modem. Is the cable modem doing > this or is someone spoofing this IP address? > > Sorry if this has been answered already but I'm kind of new to the > firewall stuff. > > Thank you for your time. > Robert It's your cable provider insisting to send you bootps info (for broken windows customers I reckon). Yech that's as if you're some network appliance :) Mine does that too. I just drop/not log them. Whenever your dhclient needs to renew a lease it will connect and if your firewall keeps state on that your ISP's dhcp server has it's lucky moment because for once something may connect back in. Both of you happy. HTH, Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504050029.57829.danny>