Date: Mon, 04 Apr 2005 12:45:33 -1000 From: Robert Marella <rmarella@gmail.com> To: Danny Pansters <danny@ricin.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipflog entries? Message-ID: <4251C38D.6020002@gmail.com> In-Reply-To: <200504050029.57829.danny@ricin.com> References: <4251BA47.2030901@gmail.com> <200504050029.57829.danny@ricin.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Danny Pansters wrote: >On Tuesday 05 April 2005 00:05, Robert Marella wrote: > > >>Greetings >> >>My daily mail on my firewall (5.3-rel-p4) has always shown many (> >>10000) blocks by my blocking rule >>"block in quick on em0 from 10.0.0.0/8 to any". Obviously I'm using >>ipf/ipnat. >> >>So, for education, today I enabled "log" for a short time on that rule. >>Within a few minutes I logged over twenty >>attempts from the same address. (Sample below, text attached) >> >>04/04/2005 11:33:41.034653 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 >>PR udp len 20 337 IN >>04/04/2005 11:33:41.973120 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 >>PR udp len 20 344 IN >>04/04/2005 11:33:57.532249 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 >>PR udp len 20 337 IN >>04/04/2005 11:33:58.963415 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68 >>PR udp len 20 344 IN >> >>Ports 67 shows dhcps and 68 shows dhcpc in /etc/services. >> >>em0 is connected to my roadrunner cable modem. Is the cable modem doing >>this or is someone spoofing this IP address? >> >>Sorry if this has been answered already but I'm kind of new to the >>firewall stuff. >> >>Thank you for your time. >>Robert >> >> > >It's your cable provider insisting to send you bootps info (for broken windows >customers I reckon). Yech that's as if you're some network appliance :) Mine >does that too. I just drop/not log them. Whenever your dhclient needs to >renew a lease it will connect and if your firewall keeps state on that your >ISP's dhcp server has it's lucky moment because for once something may >connect back in. Both of you happy. > >HTH, > >Dan > > > Thanks Dan. I kinda thunk it was something like that. Just wanted someone such as yourself to confirm. The sheer number that was reported in the daily mail was what got me concerned. I was and am just dropping them. I only enabled the log for about 5 minutes. Thanks again Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4251C38D.6020002>