John Andersen
2002-May-15 20:30 UTC
[Shorewall-users] Foriegn DHCP request on my internal nic
Found this oddity in my log: May 15 11:59:31 norcomix dhcpd: DHCPREQUEST for 192.168.3.10 from 52:41:53:20:60:29:a7:92:5e:d2:be:01:02:00:00:00 via eth1: The dhcpd has suddenly started seening dhcp requests on the internal nic (eth1) which ARP can''t find on my local subnet. Note: My internal subnet is 192.168.2.x, not 192.168.3.x so the dhcp server ignores it. I suspect iptables is letting these requests in, but I can''t find any specific line in my Shorewall rules that would allow that request in, and even if it was there, I would expect it on the other nic (which the dhcp server does not service). (My outside nic, eth0 gets an ip via dhcp if that matters). Does anyone remember the name of that file that allows you to determine Manufacturer from the mac adderess? What am I missing? ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/
Tom Eastep
2002-May-15 20:50 UTC
[Shorewall-users] Foriegn DHCP request on my internal nic
On Wed, 15 May 2002, John Andersen wrote:> Found this oddity in my log: > May 15 11:59:31 norcomix dhcpd: DHCPREQUEST for 192.168.3.10 from > 52:41:53:20:60:29:a7:92:5e:d2:be:01:02:00:00:00 via eth1: > > The dhcpd has suddenly started seening dhcp requests on the internal > nic (eth1) which ARP can''t find on my local subnet. Note: My internal subnet is 192.168.2.x, not > 192.168.3.x so the dhcp server ignores it. > > I suspect iptables is letting these requests in, but > I can''t find any specific line in my Shorewall rules that would allow that request in, and even if it was > there, I would expect it on the other nic (which the dhcp server does not service). > > (My outside nic, eth0 gets an ip via dhcp if that matters). > > Does anyone remember the name of that file that allows you to > determine Manufacturer from the mac adderess? >Are your two NICs connected to the same switch or HUB? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
John Andersen
2002-May-15 21:01 UTC
[Shorewall-users] Foriegn DHCP request on my internal nic
On 15 May 2002 at 13:50, Tom Eastep wrote:> On Wed, 15 May 2002, John Andersen wrote: > > > Found this oddity in my log: > > May 15 11:59:31 norcomix dhcpd: DHCPREQUEST for 192.168.3.10 from > > 52:41:53:20:60:29:a7:92:5e:d2:be:01:02:00:00:00 via eth1: > > > > The dhcpd has suddenly started seening dhcp requests on the internal nic > > (eth1) which ARP can''t find on my local subnet. Note: My internal subnet>> Are your two NICs connected to the same switch or HUB?Nope. Outside nic to cable modem, inside nic to Cisco Switch. I noticed two different IPs were requested, and the mac address differed only in the 4th from the end. (02 and 01) which seems highly unlikely for nics even out of the same batch. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/
Tom Eastep
2002-May-15 21:09 UTC
[Shorewall-users] Foriegn DHCP request on my internal nic
On Wed, 15 May 2002, John Andersen wrote:> Found this oddity in my log: > May 15 11:59:31 norcomix dhcpd: DHCPREQUEST for 192.168.3.10 from > 52:41:53:20:60:29:a7:92:5e:d2:be:01:02:00:00:00 via eth1: > > The dhcpd has suddenly started seening dhcp requests on the internal > nic (eth1) which ARP can''t find on my local subnet. Note: My internal subnet is 192.168.2.x, not > 192.168.3.x so the dhcp server ignores it. > > I suspect iptables is letting these requests in, but > I can''t find any specific line in my Shorewall rules that would allow that request in, and even if it was > there, I would expect it on the other nic (which the dhcp server does not service). > > (My outside nic, eth0 gets an ip via dhcp if that matters). >If you have ''dhcp'' specified on eth0 in /etc/shorewall/interfaces, that opens eth0 for dhcp in both directions. Still, your dhcpd is reporting that the request came from eth1. Strange... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
John Andersen
2002-May-15 21:18 UTC
[Shorewall-users] Foriegn DHCP request on my internal nic
On 15 May 2002 at 14:09, Tom Eastep wrote:> On Wed, 15 May 2002, John Andersen wrote: > > > Found this oddity in my log: > > May 15 11:59:31 norcomix dhcpd: DHCPREQUEST for 192.168.3.10 from > > 52:41:53:20:60:29:a7:92:5e:d2:be:01:02:00:00:00 via eth1: > >> If you have ''dhcp'' specified on eth0 in /etc/shorewall/interfaces, that> opens eth0 for dhcp in both directions. Still, your dhcpd is reporting > that the request came from eth1.Yup, I do have dhcp specified there for eth0, along with norfc1918, routfilter and blacklist (My blacklist contains one particularly aggressive spammer). People in this town have been known to hang private subnets on the cable modem system. They can get away with this because they are com21 cabelmodems which talk atm on the public side. Its just sort of odd to see it come thru, and its not a big concern. I could cause a lot of head scratching by adding that subnet to my dhcp server and setting it authoritative. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/