>I know they're written by inetd/tcp wrappers, but none of the man pages
>seem to have the format of the output.
Actually.. these are coming from a "-o" line in your IPFWADM ruleset and
not from TCPD. This is GOOD! This means you have a decent IPFWADM
ruleset! :)
>RedHat 5.1 firewall connected to MediaOne Express cablemodem on eth0,
>hub on eth1, with internal machines hooked up to the hub.
>
>Sep 21 23:23:51 kramer kernel: IP fw-in deny eth0 UDP 192.168.1.100:520
>192.168.1.255:520 L=52 S=0x00
Basically.. its saying.. that a UDP incoming packet on the eth0 interface
from IP address 192.168.1.100 for the RIP process is going to the
network broadcast address of 192.168.1.255.
Basically.. there is a machine broadcasting a bogus address of
192.168.1.100. Since your cablemodem is on eth0, this is some
other cablemodem user that either has a true router or a UNIX box
running routed or gated in RIP mode.
You probably won't be able to find this user but try this:
/sbin/arp -a
This should show you all the MAC addresses that your LINUX box is
seeing. You might be able to then determine the user's IP address from
this. TELNET to that box and either send mail to the root user (via
TELNET port 25) or CRASH it. Doh!
If anything else.. you can setup a specific IPFWADM ruleset for port
520 and NOT log it. Then.. all of these packets will be properly
dropped without logging it to SYSLOG.
--David
.----------------------------------------------------------------------------.
| David A. Ranch - Remote Access/Linux/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
