Rob Moore wrote:
> Hello there a few questions; thanks in advance:-
>
> 1. router - which is a 486-PCI board using two 3com 3c905b nics
> and a SURFboard SB4100 cable modem. Internal network is 192.168.1.0/24
> external net 62.x.x.x provided by DHCP from ISP. All is working fine
> but I have an annoying issue with the logs filling up.
>
> There seems to be a dhcp node in the modem itself which is doing some
> sort of broadcast which in turn is being denied by the firewall;
> entries such as:-
>
> Jul 1 00:44:38 pdrtr kernel: Packet log: input DENY eth0 PROTO=2
> 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#9)
> Jul 1 00:47:38 pdrtr kernel: Packet log: input DENY eth0 PROTO=2
> 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#9)
> Jul 1 00:50:38 pdrtr kernel: Packet log: input DENY eth0 PROTO=2
> 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#9)
> Jul 1 00:53:38 pdrtr kernel: Packet log: input DENY eth0 PROTO=2
> 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#9)
>
> eth0 is my external interface so the firewall is doing its job
> by denying them as it is not expecting packets with that sort of
> source address on the external interface. (that bit i do understand!)
>
These are multi-cast packets, possibly from your ISP or a misconfigured clown on
your cable network who is spewing them out. Multicasts packets stay within a
network - and are not supposed to pass through the routers onto the Internet, so
these packets are coming from close by.
Eiger has a rule that denys and logs private ips. I list here a rule you could
use to not log these packets. It is ahead of the general rule that denies
private packets. I put such a rule in for you in the right place in
/etc/ipfilter.conf. The added portion is right after the row of ******
# A function to filter out Martian source addresses
stopMartians () {
local LIST=$1
shift
# All ones, all zeroes
$IPCH -A $LIST -j DENY -p all -s 0.0.0.0 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 255.255.255.255 -d 0/0 -l $*
# Loop back addresses
$IPCH -A $LIST -j DENY -p all -s 127.0.0.0/8 -d 0/0 -l $*
# **********
# Added to block Multicasts that are bothering me
$IPCH -A $LIST -j DENY -p all -s 192.168.100.1/32 -d 224.0.0.1/32 $*
# Multicast source addresses
$IPCH -A $LIST -j DENY -p all -s 224.0.0.0/4 -d 0/0 -l $*
# RFC 1918/1627/1597 blocks
$IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 172.16.0.0/12 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $*
.Notice that since the rule is ahead of the general rule to deny 192.168
addresses - it will drop the packet without logging .
No need to reboot
# svi network ipfilter flush
# svi network ipfilter reload
If everything works - then backup etc.
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
