Re: [masq] /var/log/messages lines
I know they're written by inetd/tcp wrappers, but none of the man pages seem to have the format of the output. Actually.. these are coming from a "-o" line in your IPFWADM ruleset and not from TCPD. This is GOOD! This means you have a decent IPFWADM ruleset! :) RedHat 5.1 firewall connected to MediaOne Express cablemodem on eth0, hub on eth1, with internal machines hooked up to the hub. Sep 21 23:23:51 kramer kernel: IP fw-in deny eth0 UDP 192.168.1.100:520 192.168.1.255:520 L=52 S=0x00 Basically.. its saying.. that a UDP incoming packet on the eth0 interface from IP address 192.168.1.100 for the RIP process is going to the network broadcast address of 192.168.1.255. Basically.. there is a machine broadcasting a bogus address of 192.168.1.100. Since your cablemodem is on eth0, this is some other cablemodem user that either has a true router or a UNIX box running routed or gated in RIP mode. You probably won't be able to find this user but try this: /sbin/arp -a This should show you all the MAC addresses that your LINUX box is seeing. You might be able to then determine the user's IP address from this. TELNET to that box and either send mail to the root user (via TELNET port 25) or CRASH it. Doh! If anything else.. you can setup a specific IPFWADM ruleset for port 520 and NOT log it. Then.. all of these packets will be properly dropped without logging it to SYSLOG. --David .. | David A. Ranch - Remote Access/Linux/PC hardware [EMAIL PROTECTED] | !! `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] /var/log/messages lines
David Kramer [EMAIL PROTECTED] wrote: I know they're written by inetd/tcp wrappers, but none of the man pages seem to have the format of the output. No, they are produced by the firewall code within the kernel itself. See the part that says "kernel:"? These will show up in your "dmesg" output as well. Sep 21 23:23:51 kramer kernel: IP fw-in deny eth0 UDP 192.168.1.100:520 192.168.1.255:520 L=52 S=0x00 I=64 F=0x T=31 I think I found the source of these lines, in /usr/src/linux/net/ipv4/ip_fw.c. It's telling you that one of your firewall input rules denied a packet from being forwarded to eth0. It was a UDP packet, with source and destinations as you see them. The "L=52" is the packet length. "S=0x00" is the "type of service" flag. "I=64" is the internet protocol ID, which I'm not familiar with. "F=" is the fragment offset. "T=" is the TTL, or hop-count of the packet. Most of it is not terribly useful information, except for the source/ destination information. The firewall properly denied them, but I would like to know what's going on. The scary part is that I have no .100 machine (although I am using 192.168.1.x for my internal machines), so these are prolly being broadcasted from someone else's box which is set up wrong. Sounds about right. Can that be? Doesn't M1X block those ranges? I don't know what an M1X is, sorry. -- [EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut sometimes known as David DeSimone || butter quite like unrequited love." http://www.dallas.net/~fox/ || -- Charlie Brown - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]