Mark Rafn wrote: > On Thu, 22 Apr 1999, John Kramer wrote: > > eth0 is your internal lan, right? Or is eth1 connected to your lan? > > This confused me too. If the message says it's an input rule from eth0, > it doesn't seem likely that the packet came in on eth1. But if it's > 192.168.4.1 (his eth1 address), it seems unlikely that it came from eth0.
Just to be clearer, the typical message looks like: kernel: IP fw-in deny eth0 UDP 192.168.4.1:68 255.255.255.255:67 L=328 S=0x00 I=53838 F=0x0000 T=128 eth0 is the NIC to my cable modem. 192.168.4.1 is the NIC to my LAN (eth1) -- whether it's also something else, I don't know. > The only thing that catches my eye is the 192.168.4.1 - where did this > number come from? Does the PC sending the DHCP request just make it up > and hope it's not used on your internal network? Other machines on the cable-modem network should be set up with static IPs. Maybe it's a cable modem -- theirs or mine -- booting up. > > There's not much you can do about your neighbor except ignore him/her. > > Sure there is - you can serve her up an IP number by running your own DHCP > server. Ooooooo, my own VPN! :-) Robert de Forest added: > > Your neighbors don't notice anything wrong, but you can snoop 'em > > at will. > > If your cable modem is as simple as a hub you could probably snoop people's > traffic without assigning them an IP. I think this is something a lot of > people are going to be unaware of, and it's going to be a big security > hole. Yep, on these networks about the only thing "safe" from snooping is SSL transactions. If I type in a password without SSL (the case with most "free e-mail" services, I believe), a neighbor could see it. They can even read this message -- and your replies. tcpdump on eth0 revealed some bootp traffic: 19:42:29.171807 191.191.191.1.bootps > 255.255.255.255.bootpc: xid:0x78f679f6 [|bootp] 19:42:29.181807 192.168.0.1.bootps > 255.255.255.255.bootpc: xid:0x78f679f6 S:192.168.0.1 [|bootp] 19:42:29.191807 209.187.161.75.bootps > 255.255.255.255.bootpc: xid:0x78f679f6 S:209.187.161.75 [|bootp] So maybe that is the source. Thanks! Tod
