Re: [TCLUG:16126] Packet Log to Console?

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:16126] Packet Log to Console?
From: chewie@wookimus.net
Date: Thu, 13 Apr 2000 18:42:01 -0500
In-Reply-To: <Pine.LNX.3.95.1000413071909.27081B-100000@sabis.org>; from jonathankl@sabis.org on Thu, Apr 13, 2000 at 07:19:33AM -0500
Mail-Followup-To: chewie, tclug-list@mn-linux.org
References: <Pine.LNX.3.95.1000413071909.27081B-100000@sabis.org>
User-Agent: Mutt/1.1.9i

On Thu, Apr 13, 2000 at 07:19:33AM -0500, Jonathan Kline wrote:
> Anyone have Any idea whaty this means?
> 
> Both syslog and Klog are running........  I came in this morning and
> had 50 or 60 accross the console....
> 
> Pakcet log: input DENY eth0 PROTO=17 0.0.0.0:68 255.255.255.255:67
> L=328 S=0x00 I=16131 F=0x0000 T=128
> 
> Please help... IS this just some funky IPChains rules?

Yes, this is IPChains.  On to some basic investigation...

FIRST QUESTION:  
	Where do you find out what the numeric representation of a
	protocol translates to on a Linux box?
Answer:
	/etc/protocols
Therefore:
	$ grep 17 /etc/protocols
	#       from: @(#)protocols     5.1 (Berkeley) 4/17/89
	udp     17      UDP             # user datagram protocol

NEXT QUESTION:
	Where do you find out what the numeric representation of a port
	address translates to on a Linux box?
Answer:
	/etc/services
Therefore:
	$ grep 68 /etc/services
	bootpc          68/tcp                          # BOOTP client
	bootpc          68/udp

	$ grep 67 /etc/services
	bootps          67/tcp                          # BOOTP server
	bootps          67/udp

NEXT QUESTION:
	What is the source of the packet?
Answer:
	Found on as the first address listed in the error log entry
Therefore:
	0.0.0.0:68

NEXT QUESTION:
	What is the destination of the packet?
Answer:
	Found on as the second address listed in the error log entry
Therefore:
	255.255.255.255:67

CONCLUSIONS:
	A bootp client on your ethernet network (0.0.0.0) is requesting a
	reply from the server listening to the ethernet broadcast address
	(255.255.255.255).  There may or may not be a server on the
	ethernet, regardless your firewall is picking up the packet from the
	broadcast address.

SOLUTION:
	If you have any bootp enabled devices (or DHCP) on your ethernet,
	which obviously you do, you should configure IPChains so that it
	does not log these packets you are obviously DENY'ing.  Remember
	to create the rule with respect to the correct interface.

HINT:
	Place an IPChains rule just before your logging rule...

RESOURCES:
	Firewall-HOWTO
	IPChains-HOWTO

----------------------------------------------------------------
Chad Walstrom                         mailto:chewie@wookimus.net 
a.k.a ^chewie, gunnarr                http://wookimus.net/chewie

   Gnupg: B4AB D627 9CBD 687E 7A31  1950 0CC7 0B18 206C 5AFD
----------------------------------------------------------------



----------------------------------------------------------------
Chad Walstrom                         mailto:chewie@wookimus.net 
a.k.a ^chewie, gunnarr                http://wookimus.net/chewie

   Gnupg: B4AB D627 9CBD 687E 7A31  1950 0CC7 0B18 206C 5AFD
----------------------------------------------------------------

PGP signature

References:
- Packet Log to Console?
  - From: Jonathan Kline <jonathankl@sabis.org>

Prev by Date: May have a LARGE order for the SGIs..
Next by Date: Re: [TCLUG:16121] automated ftp session?
Prev by thread: Re: [TCLUG:16126] Packet Log to Console?
Next by thread: More Packet Loggine Woes
Index(es):
- Date
- Thread