The example packet he chose is coming FROM port 68, going TO port 67. 68 is the DHCP client, 67 the server. So a DHCP client is sending out a broadcast packet (the only thing it can do, since it doesn't know the DHCP server's IP address ... in some cases, it won't have its own IP address or even know the network number) to ask any DHCP server that hears it to offer it a lease (an address and related info).
DHCP *servers* often send the replies as broadcast packets too, since they are often replying to hosts that do not yet have IP addresses. But they don't send out broadcast packets just to hear themselves talk ... only in response to a broadcast packet from a client.
The statement that "All machines connected to the same line need to know that
there's a DHCP server running" is the piece that is wrong. Nobody needs to know that there is a DHCP server running, as a general matter. A DHCP client needs to find a server only when it actually needs to get or renew a lease, and it does so by initiating the exchange.
In this case, what you (James) saw was probably a "leaky router" at some other site on the ISP's network ... one that let a broadcast packet improperly leak over to the ISP site. It tried several times but got no responses. There are other things it might be too, none of them your problem.
The simplest place to check port numbers, at least for the common ports, is /etc/services . For the less standard ones, there are bigger listings on the Web (easy to Google).
At 04:39 PM 2/18/2004 -0500, Armen Kaleshian wrote:
Good start James!
I've tried to clarify, piece by piece the output log for you below...
: Feb 17 15:08:13 - kernel: IP fw-in deny eth0 UDP 192.168.1.101:68 : 255.255.255.255:67 L=328 S=0x00 I=391 F=0x0000 T=128
Date What did the logging What chain the packet came in on What the firewall did to the packet What interface it came in on What protocol The source address:source port The destination address:destination port The length of the packet The service descriptor <Unsure of the rest>
DHCP works by sending out a broadcast packet, because in essence, it's a broadcast service. All machines connected to the same line need to know that there's a DHCP server running, and when they see the initial DHCP packet, and they're set to accept the service, they ask for an IP, and the server send one out to that physical address.
Let me know if you need more clarification. There are a ton of resources on the
web regarding the common log format. Try googling common log format for
firewalls, and you should get some more information about the above.
- To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs
