I'm doing some firewall testing and have been checking the logs that it creates (ipchains on kernel 2.2.16, Slack 7.1)... and i'm noticing one really wierd little deal and I'm not sure if it's on our internal network or if it's the system itself...

I get this line in my log:

... input DENY eth0 PROTO=17 0.0.0.0:68 255.255.255.255:67...

now, why is it that I'm getting input from an IP that can't exist, over UDP on bootp ports? I can't for the life of me figure out what around here is running bootp and why it would give me 0.0.0.0 as a source IP... does anyone out there have any ideas as to what's going on?

well, this could be DHCP as well. and probably is.

and i could be wrong, but i'm pretty sure that when a DHCP client "broadcasts" (asks) for an IP address, it sends out a broadcast of 255.255.255.255:67 (on port 67), but *its* address is unknown - only the mac address is known.. so it sends out 0.0.0.0

do you use dhcp or bootp? if not, you do have a serious problem. if you *DO* use dhcp/bootp, then you are denying clients somewhere (or everywhere) acccess to the dhcp server. if this is your computer (the server/dhcpserver/firewall server) then you might want to consider blocking requests/send from outside, but leave it open inside (which most firewall admins do).

this all might be useless, sorry ;o)

~kyle

ugh... that's not what I was wanting to hear... not only do we not use DHCP (hand assign static IPs), but this machine is supposed to be a webserver and has absolutely no dhcp anything running on it... :(

Does this mean that someone on our network is setup for dhcp (ie, just messing w/ something and screwed up), or do we have a larger problem on our hands?

well, it's denying the packet, so you shouldn't get too worried.

however, is eth0 your external or internal interface? if it's your external, then i'd follow my logs closely and clamp down security for a bit. if it's an internal, then yes, most likely someone has setup a DHCP server and is playing around. or perhaps someone has been messing with their TCP/IP settings and choose "Obtain IP Address Automatically" and that would then send out a broadcast like the one you are receiving. Every computer got that broadcast, but every computer ignored it, except yours, which thanks to linux's logging, you were made aware of ;o)

~kyle