Energon
05-31-2001, 04:09 PM
Okay, I'm getting this really odd log... I have this rule in my firewall:
# refuse incoming packets pretending to be from the external address.
$IPCHAINS -A input -s $IP -j DENY -l
obviously it's to block spoofed packets claiming to be from my machine... but I'm getting this log:
May 31 12:48:51 xxx kernel: Packet log: input DENY eth0 PROTO=17 xxx:138 yyy:138 L=240 S=0x00 I=0 F=0x4000 T=64 (#2)
May 31 12:48:51 xxx kernel: Packet log: input DENY eth0 PROTO=17 xxx:138 255.255.255.255:138 L=240 S=0x00 I=0 F=0x4000 T=63 (#2)
and in this case, xxx is my IP and yyy is a broadcast IP... now, call me stupid if you will, but it seems that an input packet coming from me to somebody else, doesn't make any sense whatsoever... I know it can't be somebody sending spoofed packets because if I ping the yyy address, I get this:
PING yyy (yyy): 56 octets data
64 octets from vvv: icmp_seq=0 ttl=128 time=0.6 ms
64 octets from vvv: icmp_seq=0 ttl=255 time=22.7 ms (DUP!)
64 octets from 10.0.253.1: icmp_seq=0 ttl=255 time=30.6 ms (DUP!)
64 octets from 10.0.1.1: icmp_seq=0 ttl=255 time=30.8 ms (DUP!)
64 octets from 10.0.253.1: icmp_seq=0 ttl=255 time=58.9 ms (DUP!)
64 octets from 10.0.253.1: icmp_seq=0 ttl=255 time=66.9 ms (DUP!)
64 octets from 10.0.253.1: icmp_seq=0 ttl=255 time=96.0 ms (DUP!)
the vvv spots are internet broadcast IPs and the other ones are from our internal network... which says to me that the yyy address is a broadcast address...
So, I guess my next question is, what's causing these input packets from me to somebody else? That doesn't seem like something that could possibly be happening and I'd like it to not be filling up my log, but at the same time, I have to log packets that are input from me so I can catch spoofed packets...
# refuse incoming packets pretending to be from the external address.
$IPCHAINS -A input -s $IP -j DENY -l
obviously it's to block spoofed packets claiming to be from my machine... but I'm getting this log:
May 31 12:48:51 xxx kernel: Packet log: input DENY eth0 PROTO=17 xxx:138 yyy:138 L=240 S=0x00 I=0 F=0x4000 T=64 (#2)
May 31 12:48:51 xxx kernel: Packet log: input DENY eth0 PROTO=17 xxx:138 255.255.255.255:138 L=240 S=0x00 I=0 F=0x4000 T=63 (#2)
and in this case, xxx is my IP and yyy is a broadcast IP... now, call me stupid if you will, but it seems that an input packet coming from me to somebody else, doesn't make any sense whatsoever... I know it can't be somebody sending spoofed packets because if I ping the yyy address, I get this:
PING yyy (yyy): 56 octets data
64 octets from vvv: icmp_seq=0 ttl=128 time=0.6 ms
64 octets from vvv: icmp_seq=0 ttl=255 time=22.7 ms (DUP!)
64 octets from 10.0.253.1: icmp_seq=0 ttl=255 time=30.6 ms (DUP!)
64 octets from 10.0.1.1: icmp_seq=0 ttl=255 time=30.8 ms (DUP!)
64 octets from 10.0.253.1: icmp_seq=0 ttl=255 time=58.9 ms (DUP!)
64 octets from 10.0.253.1: icmp_seq=0 ttl=255 time=66.9 ms (DUP!)
64 octets from 10.0.253.1: icmp_seq=0 ttl=255 time=96.0 ms (DUP!)
the vvv spots are internet broadcast IPs and the other ones are from our internal network... which says to me that the yyy address is a broadcast address...
So, I guess my next question is, what's causing these input packets from me to somebody else? That doesn't seem like something that could possibly be happening and I'd like it to not be filling up my log, but at the same time, I have to log packets that are input from me so I can catch spoofed packets...