Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 2 subscribers
  • Views 10755 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Not sure what my Logs are saying. Anyone help?

Mike_H
Hi

I keep on getting the below lines filling up my logs

Can anyone tell me what they are or how to stop them?

2004:04:30-13:16:47 (none) kernel: DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:42:69:34:54:08:00 SRC=10.27.176.1 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=59088 PROTO=UDP SPT=67 DPT=68 LEN=316 
2004:04:30-13:16:47 (none) kernel: DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:42:69:34:54:08:00 SRC=10.27.176.1 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=59093 PROTO=UDP SPT=67 DPT=68 LEN=316 
2004:04:30-13:16:58 (none) kernel: DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:42:69:34:54:08:00 SRC=10.27.176.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=59128 PROTO=UDP SPT=67 DPT=68 LEN=308 
2004:04:30-13:17:19 (none) kernel: DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:42:69:34:54:08:00 SRC=10.27.176.1 DST=255.255.255.255 LEN=418 TOS=0x00 PREC=0x00 TTL=255 ID=59178 PROTO=UDP SPT=67 DPT=68 LEN=398


This thread was automatically locked due to age.
Parents
  • 0
    Is this my isp's dhcp server trying to change my ip?  should i be letting it in?
  • 0 in reply to Mike_H
    Right lets try this again.  I apologise for the 2 above posts.

    I have in my packet logs the following constant entries

    2004:04:30-15:25:05 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:24:4a:a9:e6:08:00 SRC=192.168.3.8 DST=192.168.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=20885 PROTO=UDP SPT=137 DPT=137 LEN=58 
    2004:04:30-15:25:06 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:24:4a:a9:e6:08:00 SRC=192.168.3.8 DST=192.168.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=20886 PROTO=UDP SPT=137 DPT=137 LEN=58 
    2004:04:30-15:25:09 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:24:4a:a9:e6:08:00 SRC=192.168.3.8 DST=192.168.3.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128 ID=20887 PROTO=UDP SPT=138 DPT=138 LEN=182 
    2004:04:30-15:25:09 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:24:4a:a9:e6:08:00 SRC=192.168.3.8 DST=192.168.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=20888 PROTO=UDP SPT=137 DPT=137 LEN=58 
    2004:04:30-15:25:09 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:24:4a:a9:e6:08:00 SRC=192.168.3.8 DST=192.168.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=20889 PROTO=UDP SPT=137 DPT=137 LEN=58 
    2004:04:30-15:25:10 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:24:4a:a9:e6:08:00 SRC=192.168.3.8 DST=192.168.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=20890 PROTO=UDP SPT=137 DPT=137 LEN=58 
    2004:04:30-15:25:13 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:24:4a:a9:e6:08:00 SRC=192.168.3.8 DST=192.168.3.255 LEN=211 TOS=0x00 PREC=0x00 TTL=128 ID=20891 PROTO=UDP SPT=138 DPT=138 LEN=191 
    2004:04:30-15:25:15 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:68:56:e7:08:00 SRC=192.168.3.9 DST=192.168.3.255 LEN=218 TOS=0x00 PREC=0x00 TTL=128 ID=46006 PROTO=UDP SPT=138 DPT=138 LEN=198 
    2004:04:30-15:25:15 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:cc:7a:fa[:D]d:08:00 SRC=192.168.3.88 DST=192.168.3.255 LEN=217 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=197 
    2004:04:30-15:25:15 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:cc:7a:fa[:D]d:08:00 SRC=192.168.3.88 DST=192.168.3.255 LEN=217 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=197 
    2004:04:30-15:25:18 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:cc:7a:fa[:D]d:08:00 SRC=192.168.3.88 DST=192.168.3.255 LEN=217 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=197 
    2004:04:30-15:25:20 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:cc:7a:fa[:D]d:08:00 SRC=192.168.3.88 DST=192.168.3.255 LEN=217 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=197 
    2004:04:30-15:25:22 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:cc:7a:fa[:D]d:08:00 SRC=192.168.3.88 DST=192.168.3.255 LEN=217 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=197 
    2004:04:30-15:25:43 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:68:56:e7:08:00 SRC=192.168.3.9 DST=192.168.3.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=46007 PROTO=UDP SPT=138 DPT=138 LEN=209 
    2004:04:30-15:25:57 (none) kernel: DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:24:4a:a9:e6:08:00 SRC=192.168.3.8 DST=192.168.3.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=20893 PROTO=UDP SPT=138 DPT=138 LEN=209 


    However I don't understand why these are being logged, as I have the following rule set to drop and not log these packets:

    Any,Any,Drop,Internal(Broadcast) & External(Broadcast), dont log.

    Any ideas?
  • 0 in reply to Mike_H
    You are seeing the Netbios beaconing from the Microsoft Windows machines on your Internal network (the 192.168.3.0 net). A filter rule such as this should take care of the problem:

    Internal_Network_  { netbios } Internal_Broadcast_  Drop
  • 0 in reply to VelvetFog
    Hi VelvetFrog

    I have a:  Any,Netbios,drop,Any.
    Here is my current home ruleset.

    Packet Filter Rules    Total 10 entries     New Rule ...    Filters   
     
        Group    Source    Service  Action    Destination    Comment  
      1  [none]    Any  0.0.0.0/0   netbios    0.0.0.0/0   Any    Drop annoying broadcast netbios traffic  
      2  [none]    Internal (Address)  192.168.3.4   Any    255.255.255.255/32   General_Broadcast    Allow Firewall DHCP to service network  
      3  [none]    Any  0.0.0.0/0   Any    255.255.255.255/32   General_Broadcast    Drop annoying broadcast traffic  
      4  [none]    Admin-PCs    Any    192.168.3.4   Internal (Address)    Allows Remote Access to Firewall  
      5  [none]    Hilly  192.168.3.8   ping    192.168.3.4   Internal (Address)    Allows ipMonitor to see firewall  
      6  [none]    Any  0.0.0.0/0   Any    192.168.3.4   Internal (Address)    Stealth Rule  
      7  [none]    Internal (Network)  192.168.3.0/24   Any    0.0.0.0/0   Any    Allow internal network access to external services  
      8  [none]    Any  0.0.0.0/0   Hilly-Services    192.168.3.8   Hilly    Allow External services to access Hilly  
      9  [none]    Any  0.0.0.0/0   Starbug-Services    192.168.3.9   Starbug    Allow External services to access Starbug  
      10  [none]    Any  0.0.0.0/0   Any    0.0.0.0/0   Any    Clean up rule

    It still logs  drops.  I am going mad, wondering if it is an 'invisible' rule thats over riding it.
  • 0 in reply to Mike_H
    Your filter rules appears to be from ASL v5. I'm still running version 4, so I can't really comment on v5 specific issues.
  • 0 in reply to VelvetFog
    How do i block this from filling up my logs?

    2004:05:02-00:00:39 (none) kernel: DROP: IN=eth1 OUT= 
    MAC=ff:ff:ff:ff:ff:ff:00:04:28:25:50:54:08:00 SRC=10.40.224.1 DST=255.255.255.255 LEN=355 TOS=0x00 PREC=0x00 TTL=255 ID=58137 PROTO=UDP SPT=67 DPT=68 LEN=335
  • 0 in reply to wojo
    You are seeing the IP broadcast replies from your ISP's DHCP server in your logs.

    First create a Network definition like this:

    Name:  Broadcast32
    Address: 255.255.255.255
    Netmask:  255.255.255.255

    Then make a filter rule like this:

    Any  Any  Broadcast32  Drop

    Move the rule up to the top of your list, making it the first rule.
  • 0 in reply to VelvetFog
    For some reason, broadcast addresses are not included in the any catagory, so if you want to drop traffic sent to the broadcast addrtess (mac = ff:ff:ff:ff:ff:ff) then you have to explicitly create a rule that drops traffic sent to the broadcast address
Reply
  • 0 in reply to VelvetFog
    For some reason, broadcast addresses are not included in the any catagory, so if you want to drop traffic sent to the broadcast addrtess (mac = ff:ff:ff:ff:ff:ff) then you have to explicitly create a rule that drops traffic sent to the broadcast address
Children
No Data