Aubrey Kilpatrick
2003-Jul-20 08:53 UTC
[Shorewall-users] log full of same private address
Hello, I am getting the same IP logged almost continuously on my firewall. I am running "Shorewall 1.4.4b" with a three interface setup. I have looked at the FAQ 17 and tried to check all the items listed there to resolve the problem without success. A portion of the log file follows: Jul 19 20:00:06 cm237 kernel: Shorewall:logdrop:DROP:IN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:09:7c:14:21:38:08:00 SRC=10.1.0.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=29626 PROTO=UDP SPT=67 DPT=68 LEN=308 Jul 19 20:00:06 cm237 kernel: Shorewall:logdrop:DROP:IN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:09:7c:14:21:38:08:00 SRC=10.1.0.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=29628 PROTO=UDP SPT=67 DPT=68 LEN=308 Jul 19 20:00:18 cm237 kernel: Shorewall:logdrop:DROP:IN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:09:7c:14:21:38:08:00 SRC=10.1.0.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=29630 PROTO=UDP SPT=67 DPT=68 LEN=308 Jul 19 20:00:18 cm237 kernel: Shorewall:logdrop:DROP:IN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:09:7c:14:21:38:08:00 SRC=10.1.0.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=29632 PROTO=UDP SPT=67 DPT=68 LEN=308 Jul 19 20:00:29 cm237 kernel: Shorewall:logdrop:DROP:IN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:09:7c:14:21:38:08:00 SRC=10.1.0.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=29634 PROTO=UDP SPT=67 DPT=68 LEN=308 Jul 19 20:00:29 cm237 kernel: Shorewall:logdrop:DROP:IN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:09:7c:14:21:38:08:00 SRC=10.1.0.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=29636 PROTO=UDP SPT=67 DPT=68 LEN=308 Jul 19 20:00:40 cm237 kernel: Shorewall:logdrop:DROP:IN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:09:7c:14:21:38:08:00 SRC=10.1.0.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=29638 PROTO=UDP SPT=67 DPT=68 LEN=308 Jul 19 20:00:40 cm237 kernel: Shorewall:logdrop:DROP:IN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:09:7c:14:21:38:08:00 SRC=10.1.0.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=29640 PROTO=UDP SPT=67 DPT=68 LEN=308 Jul 19 20:01:36 cm237 kernel: Shorewall:logdrop:DROP:IN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:09:7c:14:21:38:08:00 SRC=10.1.0.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=29642 PROTO=UDP SPT=67 DPT=68 LEN=308 Jul 19 20:01:36 cm237 kernel: Shorewall:logdrop:DROP:IN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:09:7c:14:21:38:08:00 SRC The net interface =eth0, the local network=eth1, and the dmz=eth2 per a three interface setup. The MAC address shown in the log is not one of my network cards. That is unless I am reading the log output wrong. A pointer to the information needed to correct this problem is greatly appreciated. Thanks for the help. aubrey
Welcome back Aubrey! On Sun, 2003-07-20 at 09:01, Aubrey Kilpatrick wrote:> Hello, > > I am getting the same IP logged almost continuously on my firewall. I am > running "Shorewall 1.4.4b" with a three interface setup. I have looked at > the FAQ 17 and tried to check all the items listed there to resolve the > problem without success.It''s the second item listed in FAQ 17 -- the source IP address is listed as ''logdrop'' in /etc/shorewall/rfc1918. Near the front of that file, add: 10.1.0.1 DROP> > A portion of the log file follows:< one log entry would have sufficed>> > The net interface =eth0, the local network=eth1, and the dmz=eth2 per a > three interface setup. The MAC address shown in the log is not one of my > network cards. That is unless I am reading the log output wrong. >See FAQ 6d and realize that the MAC address with all bits on means broadcast. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sunday 20 July 2003 08:01 am, Aubrey Kilpatrick wrote:> 09:7c:14:21:38:08:00 <<< see if you can figure out who hasthat nic... Some machine on your outside nic has that mac address. Its looking for a dhcp server, but getting blocked by shorewall. Scan your /var/log/messages to see if your firewall is offering dhcp services on eth0. People will scream at you if you are. You did get the nics plugged in right??? Eth0 is infact plugged into your Outside net, and not your inside net by mistake?? -- John Andersen - NORCOM http://www.norcomsoftware.com