Re: [Leaf-user] help understanding ipchains output (newbie)

Fri, 19 Apr 2002 11:59:47 -0700 

Mike:
        Heya. Some thoughts on what you're seeing:

> Apr 18 15:44:50 firewall kernel: Packet log: input DENY eth0 PROTO=17
> 66.147.147.152:520 66.147.147.255:520 L=52 S=0x00 I=64309 F=0x0000
> T=128(#40)

        These are UDP packets being broadcast to port 520 on all devices
on your subnet. UDP port 520 is where the Routing Information Protocol
(RIP) service listens, which is intended to allow your ISP's routers and
gateways to exchange information for computing routes through the Internet.
These broadcasts you're seeing are some type of routing update message
associated with that. No need for you to worry about them at all.

> Apr 18 15:46:21 firewall kernel: Packet log: input DENY eth0 PROTO=17
> 172.16.1.135:1034 255.255.255.255:164 L=128 S=0x00 I=44552 F=0x0000
> T=128(#9)

        This one is even more esoteric than RIP: it's something called
"CMIP Over IP", which is how Common Information Management Protocol
devices speak to each other over an IP network like an Ethernet LAN
or the Internet. CMIP agents listen for connections on UDP port 164,
CMIP Managers listen on UDP port 163. Again, this is probably something
your ISP is using to remotely manage and configure their routers and
gateway equipment.

> Apr 18 15:45:03 firewall kernel: Packet log: input DENY eth0 PROTO=17
> 10.10.0.6:67 255.255.255.255:68 L=352 S=0x00 I=32047 F=0x4000 T=255(#8)
> Apr 18 15:45:03 firewall dhclient: ip length 352 disagrees with bytes
> received 356.

        This is a reply from your ISP's DHCP server which runs on
IP address 10.10.0.6, UDP port 67. Apparently, the server is running
NetBSD 1.5.1, and hasn't fixed this known bug with the sip driver:

http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=13460

        As you know, of course, you can ignore these DHCP replies
that fill your firewall logs.

        I'll be adding your first two packets to the firewall packet
interpreter at "www.echogent.com/cgi-bin/fwlog.pl". Thanks for the
good samples. :) I guess that's the upside of having a noisy ISP...

cheers,
Scott


_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to