recently my (extremely old but up to now totally reliable) leaf install
has been choking on what seem to be packets dropped from itself. The
firewall is a standard two interface install of bering 1.0 rc3 (packages
listed )
initrd V1.0-rc3
root V1.0-rc3
etc V1.0-rc3
local V1.0-rc3 Local package. This package does not contain a
modules V1.0-rc3 Modules package. Contains kernel modules and u
pump 0.8.11-3 DHCP/BOOTP client from Redhat
keyboard 0.3 Use this package to adjust the keyboard settin
shorwall 1.3.1 Shoreline Firewall (Shorewall)
weblet 1.2.0 weblet - LRP status via a small web server
sshd 3.4p1 OpenSSH sshd daemon.
sshkey 3.4p1 OpenSSH ssh-keygen program.
libz 1.1.4 zlib compression library. Needed for openssh
dhcpd 2.0pl5 dhcpd - Autoconfigure client machines
dnscache 1.05a dnscache from djbdns (V1.05a) package creates
every time these sort of packets show up in the logs the firewall stops
allowing access to
the internet (logs from one instance)
Aug 8 04:22:11 firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.254 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00
TTL=64 ID=11867 DF PROTO=UDP SPT=68 DPT=67 LEN=308 Aug 8 04:22:14
firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=
SRC=192.168.1.254 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64
ID=19697 DF PROTO=UDP SPT=68 DPT=67 LEN=308 Aug 8 04:22:20 firewall
kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC= SRC=192.168.1.254
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=23785 DF
PROTO=UDP SPT=68 DPT=67 LEN=308 Aug 8 04:22:32 firewall kernel:
Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC= SRC=192.168.1.254
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=12132 DF
PROTO=UDP SPT=68 DPT=67 LEN=308 Aug 8 04:22:41 firewall kernel:
Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC= SRC=192.168.1.254
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=24526 DF
PROTO=UDP SPT=68 DPT=67 LEN=308 Aug 8 04:22:41 firewall kernel:
Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC= SRC=192.168.1.254
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=3804 DF
PROTO=UDP SPT=68 DPT=67 LEN=308 Aug 8 04:22:41 firewall kernel:
Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC= SRC=192.168.1.254
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=31457 DF
PROTO=UDP SPT=68 DPT=67 LEN=308 Aug 8 04:22:41 firewall kernel:
Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC= SRC=192.168.1.254
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=12128 DF
PROTO=UDP SPT=68 DPT=67 LEN=308 Aug 8 04:22:41 firewall kernel:
Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC= SRC=192.168.1.254
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=9879 DF
PROTO=UDP SPT=68 DPT=67 LEN=308
my question is does this show someone trying to access my firewall or is it a
false positive (?)
ie something on my network producing these hits or is some one trying to get in
(god alone knows why they'd bother).
--
regards
sean coogan
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
