Hi Victor, Sure I can post an example: see below.
[snipet of /var/run/firewall.log] Nov 1 17:54:47 localhost kernel: [508296.522564] vrmr: DROP spoof iana-0/8 IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:02:26:44:a5:d4:81:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556 Nov 1 17:54:49 localhost kernel: [508298.528577] vrmr: DROP spoof iana-0/8 IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:02:26:44:a5:d4:81:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556 [/snipet of /var/run/firewall.log] Default situation in Traffic.log (I deleted the rule AND service 'dhcp_spoof' in order to show the original state) [snipet of /var/log/vuurmuur/traffic.log] Nov 1 18:31:05: DROP service 68->67(udp) from 0.0.0.0 to 255.255.255.255, prefix: "spoof iana-0/8" (in: eth2 0.0.0.0(02:26:44:a5:d4:81):68 -> 255.255.255.255(ff:ff:ff:ff:ff:ff):67 UDP len:576 ttl:64) Nov 1 18:31:07: DROP service 68->67(udp) from 0.0.0.0 to 255.255.255.255, prefix: "spoof iana-0/8" (in: eth2 0.0.0.0(02:26:44:a5:d4:81):68 -> 255.255.255.255(ff:ff:ff:ff:ff:ff):67 UDP len:576 ttl:64) [/snipet of /var/log/vuurmuur/traffic.log] For the sake of completeness: the only effect the rule has in Traffic.log is that afterwards the rule replaces '68->67(udp)' with 'dhcp_spoof'. [snipet of /var/log/vuurmuur/traffic.log] Nov 1 18:05:01: DROP service dhcp_spoof from 0.0.0.0 to 255.255.255.255, prefix: "spoof iana-0/8" (in: eth2 0.0.0.0(02:26:44:a5:d4:81):68 -> 255.255.255.255(ff:ff:ff:ff:ff:ff):67 UDP len:576 ttl:64) Nov 1 18:05:03: DROP service dhcp_spoof from 0.0.0.0 to 255.255.255.255, prefix: "spoof iana-0/8" (in: eth2 0.0.0.0(02:26:44:a5:d4:81):68 -> 255.255.255.255(ff:ff:ff:ff:ff:ff):67 UDP len:576 ttl:64) [/snipet of /var/log/vuurmuur/traffic.log] Regarding the fact that these messages come in bundles of 6 messages (2-3 seconds apart) followed by a period of silence of 5-6 seconds, the logfile is rapidly filled. Hence the name 'flooding'. I hope it helps! Attelas Ps. On 11/01/2012 04:59 PM, Victor Julien wrote: > On 11/01/2012 04:40 PM, attelas wrote: >> After having checked the appropriate anti-spoofings on the >> INTERNET.OUTER-ZONE, the log-file (> /var/log/firewall.log) is flooded >> with messages stating "vrmr: DROP spoof iana-0/8 etc". > Can you post an example log line? > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_sfd2d_oct > _______________________________________________ > Vuurmuur-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/vuurmuur-users ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
