thr3ads.net - Shorewall users - [Shorewall-users] logs Flooded with Rfc1918 [May 2003]

If this information is useful, please help other people find it:
Share via:

Mike

2003-May-17 11:04 UTC

[Shorewall-users] logs Flooded with Rfc1918

Getting logs flooded with rfc
May 17 10:59:48 ns2 kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 SRC=192.168.0.1
DST=255.255.255.255 LEN=120 TOS=0x00 PREC=0x00 TTL=155 ID=51763 PROTO=UDP
SPT=53579 DPT=61112 LEN=100
May 17 10:59:54 ns2 kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 SRC=192.168.0.1
DST=255.255.255.255 LEN=120 TOS=0x00 PREC=0x00 TTL=155 ID=51764 PROTO=UDP
SPT=53580 DPT=61112 LEN=100
May 17 11:00:00 ns2 kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 SRC=192.168.0.1
DST=255.255.255.255 LEN=120 TOS=0x00 PREC=0x00 TTL=155 ID=51765 PROTO=UDP
SPT=53581 DPT=61112 LEN=100

I dont understand why I am getting these logs
Thanks ----Mike



Linux ns2.local 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown

[root@ns2 root]# shorewall version
1.3.14


[root@ns2 root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:20:af:fa:11:e5 brd ff:ff:ff:ff:ff:ff
    inet 63.231.33.57/29 brd 63.231.33.63 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:60:08:67:fc:e8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global eth1
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1405 qdisc pfifo_fast qlen
10
    link/ppp 
    inet 172.16.2.2 peer 172.16.2.1/32 scope global tun1

[root@ns2 root]# ip route show
172.16.2.1 dev tun1  proto kernel  scope link  src 172.16.2.2 
63.231.33.56/29 dev eth0  scope link 
192.168.2.0/24 dev eth1  scope link 
10.19.227.0/24 via 172.16.2.1 dev tun1 
127.0.0.0/8 dev lo  scope link

Tom Eastep

2003-May-17 11:50 UTC

head link

[Shorewall-users] logs Flooded with Rfc1918

On Sat, 17 May 2003 11:06:02 -0700, Mike <landers@lanlinecomputers.com> 
wrote:
> Getting logs flooded with rfc
> May 17 10:59:48 ns2 kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= 
> MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 SRC=192.168.0.1 
> DST=255.255.255.255 LEN=120 TOS=0x00 PREC=0x00 TTL=155 ID=51763 PROTO=UDP 
> SPT=53579 DPT=61112 LEN=100 May 17 10:59:54 ns2 kernel: 
> Shorewall:rfc1918:DROP:IN=eth0 OUT= 
> MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 SRC=192.168.0.1 
> DST=255.255.255.255 LEN=120 TOS=0x00 PREC=0x00 TTL=155 ID=51764 PROTO=UDP 
> SPT=53580 DPT=61112 LEN=100 May 17 11:00:00 ns2 kernel: 
> Shorewall:rfc1918:DROP:IN=eth0 OUT= 
> MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 SRC=192.168.0.1 
> DST=255.255.255.255 LEN=120 TOS=0x00 PREC=0x00 TTL=155 ID=51765 PROTO=UDP 
> SPT=53581 DPT=61112 LEN=100
>
> I dont understand why I am getting these logs
> Thanks ----Mike
>
You have ''norfc1918'' set on eth0 and it looks like there is at
least one
host connected to that through that interface that has an RFC 1918 address 
(192.168.0.1).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Mike

2003-May-17 11:56 UTC

head link

[Shorewall-users] logs Flooded with Rfc1918

Wierd then, the local subnet is 192.168.2.0/24
    Maybe one of the users has added a node without my knowledge. I believe
this is crashing the server got a call this morn and reboot fixed the
problem, the logs are going crazy. I shut off rfc1918 for now until I can
visit the location.

Thanks,
Mike

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mike" <landers@lanlinecomputers.com>;
<shorewall-users@lists.shorewall.net>
Sent: Saturday, May 17, 2003 11:50 AM
Subject: Re: [Shorewall-users] logs Flooded with Rfc1918

> On Sat, 17 May 2003 11:06:02 -0700, Mike
<landers@lanlinecomputers.com>
> wrote:
>
> > Getting logs flooded with rfc
> > May 17 10:59:48 ns2 kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT>
> MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 SRC=192.168.0.1
> > DST=255.255.255.255 LEN=120 TOS=0x00 PREC=0x00 TTL=155 ID=51763
PROTO=UDP> > SPT=53579 DPT=61112 LEN=100 May 17 10:59:54 ns2 kernel:
> > Shorewall:rfc1918:DROP:IN=eth0 OUT> >
MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 SRC=192.168.0.1
> > DST=255.255.255.255 LEN=120 TOS=0x00 PREC=0x00 TTL=155 ID=51764
PROTO=UDP> > SPT=53580 DPT=61112 LEN=100 May 17 11:00:00 ns2 kernel:
> > Shorewall:rfc1918:DROP:IN=eth0 OUT> >
MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 SRC=192.168.0.1
> > DST=255.255.255.255 LEN=120 TOS=0x00 PREC=0x00 TTL=155 ID=51765
PROTO=UDP> > SPT=53581 DPT=61112 LEN=100
> >
> > I dont understand why I am getting these logs
> > Thanks ----Mike
> >
>
> You have ''norfc1918'' set on eth0 and it looks like there
is at least one
> host connected to that through that interface that has an RFC 1918 address
> (192.168.0.1).
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>

Tom Eastep

2003-May-17 12:02 UTC

head link

[Shorewall-users] logs Flooded with Rfc1918

On Sat, 17 May 2003 11:58:29 -0700, Mike <landers@lanlinecomputers.com> 
wrote:
> Wierd then, the local subnet is 192.168.2.0/24
> Maybe one of the users has added a node without my knowledge. I believe
> this is crashing the server got a call this morn and reboot fixed the
> problem, the logs are going crazy. I shut off rfc1918 for now until I can
> visit the location.
You could always just insert a DROP rule for that IP address near the top 
of /etc/shorewall/rfc1918.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Mike

2003-May-17 12:09 UTC

head link

[Shorewall-users] logs Flooded with Rfc1918

Thanks Tom ,
I will try that drop rule, sure seems weird, do you think this could have
crashed the vpn?
Mike



----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mike" <landers@lanlinecomputers.com>;
<shorewall-users@lists.shorewall.net>
Sent: Saturday, May 17, 2003 12:02 PM
Subject: Re: [Shorewall-users] logs Flooded with Rfc1918

> On Sat, 17 May 2003 11:58:29 -0700, Mike
<landers@lanlinecomputers.com>
> wrote:
>
> > Wierd then, the local subnet is 192.168.2.0/24
> > Maybe one of the users has added a node without my knowledge. I
believe
> > this is crashing the server got a call this morn and reboot fixed the
> > problem, the logs are going crazy. I shut off rfc1918 for now until I
can> > visit the location.
>
> You could always just insert a DROP rule for that IP address near the top
> of /etc/shorewall/rfc1918.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>

Tom Eastep

2003-May-17 12:12 UTC

head link

[Shorewall-users] logs Flooded with Rfc1918

On Sat, 17 May 2003 12:10:12 -0700, Mike <landers@lanlinecomputers.com> 
wrote:
> Thanks Tom ,
> I will try that drop rule, sure seems weird, do you think this could have
> crashed the vpn?
Don''t see how....

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Paul Chambers

2003-May-17 13:31 UTC

head link

[Shorewall-users] logs Flooded with Rfc1918

Just a hunch, but could someone have plugged in a little SOHO router or
access point that has an unconfigured DHCP server in it? That would
explain the IP address (192.168.0.1 is a common initial setting for
SOHO-class gear).

The MAC address is in a range assigned to the vendor ''Premax
Electronics, Inc'':
http://www.shmoo.com/cgi-bin/mac_search.cgi?query=00%3A20%3Ae0

These days Premax is known as Actiontec, which lends credence to the
theory.

Not sure what udp port 61112 is, though (it''s not listed in
http://www.portsdb.org or http://www.iana.org/assignments/port-numbers).

Paul
> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net 
> [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Mike
> Sent: Saturday, May 17, 2003 11:06 AM
> To: shorewall-users@lists.shorewall.net
> Subject: [Shorewall-users] logs Flooded with Rfc1918
> 
> 
> Getting logs flooded with rfc
> May 17 10:59:48 ns2 kernel: Shorewall:rfc1918:DROP:IN=eth0 
> OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 
> SRC=192.168.0.1 DST=255.255.255.255 LEN=120 TOS=0x00 
> PREC=0x00 TTL=155 ID=51763 PROTO=UDP SPT=53579 DPT=61112 LEN=100 
> May 17 10:59:54 ns2 kernel: Shorewall:rfc1918:DROP:IN=eth0 
> OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 
> SRC=192.168.0.1 DST=255.255.255.255 LEN=120 TOS=0x00 
> PREC=0x00 TTL=155 ID=51764 PROTO=UDP SPT=53580 DPT=61112 LEN=100 
> May 17 11:00:00 ns2 kernel: Shorewall:rfc1918:DROP:IN=eth0 
> OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:e0:36:31:3b:08:00 
> SRC=192.168.0.1 DST=255.255.255.255 LEN=120 TOS=0x00 
> PREC=0x00 TTL=155 ID=51765 PROTO=UDP SPT=53581 DPT=61112 LEN=100 
> 
> I don''t understand why I am getting these logs
> Thanks ----Mike
> <snip>

Shorewall users - May 2003 - logs Flooded with Rfc1918

[Shorewall-users] logs Flooded with Rfc1918

[Shorewall-users] logs Flooded with Rfc1918

[Shorewall-users] logs Flooded with Rfc1918

[Shorewall-users] logs Flooded with Rfc1918

[Shorewall-users] logs Flooded with Rfc1918

[Shorewall-users] logs Flooded with Rfc1918

[Shorewall-users] logs Flooded with Rfc1918