Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
firewall floods syslogs
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
sulu
Guru
Guru


Joined: 21 May 2002
Posts: 399
Location: Dornbirn/Austria

PostPosted: Fri Jun 21, 2002 4:28 am    Post subject: firewall floods syslogs Reply with quote

Hi.

I have a firewall script running which is quite restrictive with the udp protocol. Everything seems to work fine but me logs are flooded with:

Jun 21 06:08:54 andy-linux kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:94:05:be:54:08:00 SRC=192.168.99.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=21782 PROTO=UDP SPT=67 DPT=68 LEN=308

An new entry is added roughly every second.

The service producing those messages seems to be BOOTP-server on port 67 which tries to send some udp-stuff to BOOTP client on port 68.

bootps 67/tcp # BOOTP server
bootps 67/udp
bootpc 68/tcp # BOOTP client
bootpc 68/udp

I'm using a cable-modem connected to eth0.

I did some googeling but could not figure out what this dialog is used for.

So my questions are:
- What is this ?
- Who is the sender? (the cable modem ?)
- Receiver seems to be eth0 (interface to the outer world)

- Which services may be affected by this drops ?
- Do i have to modify the firewall script ?

Thanks
Sulu
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Fri Jun 21, 2002 12:01 pm    Post subject: Re: firewall floods syslogs Reply with quote

sulu wrote:
- What is this ?

It's device 192.168.99.1 broadcasting a BOOTP request to the network. Not sure what device has IP 192.168.99.1, but hopefully you know. :)

sulu wrote:
- Who is the sender? (the cable modem ?)

see above.

sulu wrote:
- Receiver seems to be eth0 (interface to the outer world)

receiver is actually any device on that same network. (probably 192.168.99.X)

sulu wrote:
- Which services may be affected by this drops ?

bootp

sulu wrote:
- Do i have to modify the firewall script ?

it sounds like everything is working for you other than your log files getting filled up with cruft, so no. You can probably reduce the log entries quite a bit by decreasing the log level. Check the [url=http://netfilter.samba.org/]netfilter home page[/quote] for more information on that, or google for "iptables log level".

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
sulu
Guru
Guru


Joined: 21 May 2002
Posts: 399
Location: Dornbirn/Austria

PostPosted: Fri Jun 21, 2002 12:35 pm    Post subject: Reply with quote

Thanks Kurt.

I'm curious what bootp whants to know so badly that that it sends a request every second.
Before screwing down the log-level i need to know what bootp really does.
Is this something related to the boot of the network?

I know, i know ... i should/will do some serious googeling.

cya
Sulu
Back to top
View user's profile Send private message
sulu
Guru
Guru


Joined: 21 May 2002
Posts: 399
Location: Dornbirn/Austria

PostPosted: Fri Jun 21, 2002 12:54 pm    Post subject: Reply with quote

After googeling.

Ok. This belongs to dhcp.
Could it be that the dhcpd whants to broadcast the IP into the internal network?
Anyway, it doesnt looks dangerous.

Greetz
Sulu
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Fri Jun 21, 2002 2:36 pm    Post subject: Reply with quote

bootp is a simpler, less-capable version of dhcp. Not sure why you're getting a bootp request once per second, but my guess is some device on your network is requesting one. What is 192.168.99.1? Your machine? The cable modem?

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
sulu
Guru
Guru


Joined: 21 May 2002
Posts: 399
Location: Dornbirn/Austria

PostPosted: Fri Jun 21, 2002 6:20 pm    Post subject: Reply with quote

Hi Kurt.

Thats what i'm trying to figure out.
I cant find it in ifconfig ore route -n (see below).

I have a Win-NT box in the local net, maybe it fells lonesome.
No. It must be the cable modem.
Just plugged it off.
.....
Silence
.....

=> This strange IP: 192.168.99.1 is the cable modem itself.
So the culprit is identified. It tells me every second what ip ist uses.
Is this common practise ?
It would be interesting to dump the content of the udp-package.

cya
Sulu
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Fri Jun 21, 2002 6:48 pm    Post subject: Reply with quote

What kind of cable modem are you using? It's odd that it seems to want to ack itself to the world (or at least to your network) every 1 second. bootp isn't supposed to be all that chatty -- the client should be doing the requesting, not the server.

Anyway, you might try contacting your ISP. If you wade through enough of the clueless tier 1 support people, you might actually get to someone who knows why your modem insists on sending out all that crap. (as you can tell, I've never had good luck with ISP support folks. :))

Or, you can set the --log-level in your firewall script to not log that stuff. (again, see the netfilter page for more info)

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Fri Jun 21, 2002 6:53 pm    Post subject: Reply with quote

You could install Ethereal (a packet sniffer), shut off iptables temporarily, capture a few packets, and re-enable it. Ethereal would then dissect the packets to tell you exactly what your cable modem is saying.
Back to top
View user's profile Send private message
sulu
Guru
Guru


Joined: 21 May 2002
Posts: 399
Location: Dornbirn/Austria

PostPosted: Fri Jun 21, 2002 8:02 pm    Post subject: Reply with quote

@klieber

Strange thing is'nt it. But its definitely the cable modem. Pulling cable out.. => no packet drops => no log flooding.
I have a rather short --limit 2/s on iptables. But as i understand its establishes an upper limit of maximum two log entries per second. Means i have a rather talkative device, but it works very well.

*shrug* I'll contact the ISP-guys. Maybe i find one knowing his job.

@delta407
Neat tip..javascript:emoticon(%27%3Aroll%3A%27)

I'll try to catch some of the packets.
Maybe that tells me something.

..................

btw:

Im getting suspicious about my ISP.
No one can ssh into my box.
I can ssh to the box of my friends easily.

Didnt want to post this issue because it's so instructive doing it the hard way by (RTFM, /etc/-screwing, googeling...)

But what do you think about :

eth0 Link encap:Ethernet HWaddr 00:04:76:E6:99:B5
inet addr:194.208.121.197 Bcast:255.255.255.255 Mask:255.255.254.0

I initialize my eth0 via dhcp from my ISP.
This is a c-class network but the Mask = 255.255.254.0 ????

Do you think that's correct ??
Could that inhibit ssh-connections to my box ?

------------------------------------------------

Thanks a lot.
This is a great forum !

cya
Sulu
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Fri Jun 21, 2002 8:17 pm    Post subject: Reply with quote

If it is a class C subnet, that is the wrong netmask. But, with CNIDR addressing, this would be possible (i.e. it would be the 194.208.120.0/23 netblock).

A wrong netmask wouldn't prevent SSH connections, it would just break routing, so the fact that you can talk to anything means it's probably correct. Your firewall might be doing that or it's possible your ISP won't let you be a "server" (meaning they won't let you accept incoming TCP connections). Try moving it to a different port (should be an option in /etc/sshd/ somewhere) and see what happens.
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Fri Jun 21, 2002 11:05 pm    Post subject: Reply with quote

sulu wrote:
I have a rather short --limit 2/s on iptables. But as i understand its establishes an upper limit of maximum two log entries per second. Means i have a rather talkative device, but it works very well.


You *should* be able to define logging levels on a per rule basis. So, create a specific rule that drops packets from your cable modem on the bootp ports and then set the --log-level to the appropriate number, or even better, set up a custom log in syslog.conf that logs to /dev/null.

All that crap in your logs isn't just an annoyance, it makes finding the real stuff that much harder.

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Fri Jun 21, 2002 11:12 pm    Post subject: Reply with quote

klieber wrote:
All that crap in your logs isn't just an annoyance, it makes finding the real stuff that much harder.


That is, unless you read your logs with "grep -v MAC\=ff:ff:ff:ff:ff:00:30:94:05:be:54:08:00"... which you don't, so nevermind. :)
Back to top
View user's profile Send private message
sulu
Guru
Guru


Joined: 21 May 2002
Posts: 399
Location: Dornbirn/Austria

PostPosted: Sat Jun 22, 2002 3:59 am    Post subject: Reply with quote

@delta407

I think that my ISP won't let my play server. I dont think its the fierwall because i've explicitely opened port 22.

@klieber

I'll adapt the iptables-ruleset for the cable modem.
A special for this event will be apropriate.

btw: With ethereal i found out that ist sends an DHCP offer every second.

Thanks a lot guys.
I'll have an engaged conversation with my ISP.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum