This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

lots of dropped traffic

I have recently installed astaro and have seen a lot of traffic dropped on UDP ports 1026-1027. Not enough it seems to set of IPS but still enough for me to take notice when I searched the logs history.
What I'm having trouble with is this..
The source MAC is always the same and the source IP is always different.
The only conclusion I can come up with is that this is a spoofed MAC and the person on the other end is running TOR to conceal their true source IP.
Does that sound about right? Or am I way off base?

Included is a portion of the PF log filtered to show all traffic on UDP 1026.

This thread was automatically locked due to age.

Parents

0 BarryG over 17 years ago

The MAC would be your ISP's router... MACs do not 'travel' with the IP packets.

It's probably MS worms. If you don't like it cluttering your logs, create some definitions and rules to drop it without logging.
You probably want to drop it on the EXT and EXT Broadcast addresses.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 17 years ago

The MAC would be your ISP's router... MACs do not 'travel' with the IP packets.

It's probably MS worms. If you don't like it cluttering your logs, create some definitions and rules to drop it without logging.
You probably want to drop it on the EXT and EXT Broadcast addresses.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 EricH over 17 years ago in reply to BarryG

aahh, ok that makes sense. Thanks for the advise.
Cancel
Vote Up 0 Vote Down

Cancel