Chris Spackman wrote:
>
> Ok, this one is interesting, I think.
>
> I have a cable modem, which is connected to a local (172.x.x.x) net and
> masqueraded on the internet. (I think that is how it works). Anyhow, some
> idiots on this internal net have services broadcasting to everyone and so
> are constantly filling my logs with "DENY 172.16.xxx.xxx blah blah blah"
> messages from the firewall. The vast majority of these are on port 2301.
> Recently however, things have taken an interesting twist, with a new address
> showing up - 127.0.0.1, also on port 2301. Now I don't think that this is
> from my machine, because it only happens when I am physically connected to
> the network (ie, i plug in the ethernet cable). Only. No other time. Also,
> netstat does not show port 2301 as open or listening on anything.
>
> the deny line looks a little like this: [snip] input DENY eth0 PROTO=17
> 127.0.0.1:2301 255.255.255.255:2301 [snip] (#32)
>
> Is it possible that someone on the network is actually broadcasting to
> everyone their attempt to connect to localhost? What is this? Could it be
> coming from my box?
The loopback address is NEVER (unless the rules have changed) supposed to appear
on a physical net.
Use a sniffer tool to capture these packets, get the MAC address of the sender.
If this MAC is not yours (see your ifconfig output), then look for packets with
that MAC and a real IP and get your ISP involved now that you've done the grunt
work of finding the broken machine(s). Alternatively (assuming the packets are
not from you), complain to the ISP who should have sniffers...
HTH,
Pierre
