How this is posible do i have some DDOS attacks Jun 8 08:01:35 mail kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:6e:31:82:2c:08:00 SRC=192.168.0.102 DST=192.168.0.255 LEN=229 TOS=0x00 PREC=0x00 Normal output for my local ln i nat Jun 8 08:01:18 mail kernel: Shorewall:loc2fw:ACCEPT:IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:20:ed:6a:15:53:08:00 SRC=192.168.0.50 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 I have open only 25 53 ports for smtp and bind.
Tanovic Branko wrote:> How this is posible do i have some DDOS attacksNo.> > Jun 8 08:01:35 mail kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT= > MAC=ff:ff:ff:ff:ff:ff:00:0c:6e:31:82:2c:08:00 SRC=192.168.0.102 > DST=192.168.0.255 LEN=229 TOS=0x00 PREC=0x00 >The ethernet address with all bits on is the *broadcast address* -- note that the IP address is also the broadcast address for network 192.168.0.0/24. In other words, the above is perfectly normal broadcast packet from 192.168.0.102 (00:0c:6e:31:82:2c). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> >The ethernet address with all bits on is the *broadcast address* -- note that the IP address is also the broadcast address for network 192.168.0.0/24. In other words, the above is perfectly normal broadcast packet from 192.168.0.102 (00:0c:6e:31:82:2c). -Tom but how is posible to have brodcast 192.168.0.102 from net2fw zone loc eth0 detect net eth1 detect my eth1 eth1 Link encap:Ethernet HWaddr 00:0C:41:63:1C:43 inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0 and This is more detail log Jun 8 08:01:26 mail kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:42:27:71:c2:08:00 SRC=160.99.105.11 DST=255.255.255.255 LEN=532 TOS=0x00 PREC=0x00 TTL=2 ID=0 PROTO=UDP SPT=520 DPT=520 LEN=512 Jun 8 08:01:27 mail kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:6e:21:19:83:08:00 SRC=10.0.0.14 DST=10.0.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=4887 PROTO=UDP SPT=137 DPT=137 LEN=58 Jun 8 08:01:33 mail kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0d:88:b5:19:a5:08:00 SRC=212.200.97.254 DST=255.255.255.255 LEN=340 TOS=0x00 PREC=0x00 TTL=128 ID=64925 PROTO=UDP SPT=68 DPT=67 LEN=320 Jun 8 08:01:35 mail kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:6e:31:82:2c:08:00 SRC=192.168.0.102 DST=192.168.0.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=12742 PROTO=UDP SPT=138 DPT=138 LEN=209 Jun 8 08:01:52 mail kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:8b:ea:8c:87:08:00 SRC=160.99.105.122 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=22092 PROTO=UDP SPT=67 DPT=68 LEN=308 Jun 8 08:01:54 mail kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:42:27:71:c2:08:00 SRC=160.99.105.11 DST=255.255.255.255 LEN=532 TOS=0x00 PREC=0x00 TTL=2 ID=0 PROTO=UDP SPT=520 DPT=520 LEN=512 Jun 8 08:02:00 mail kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:8b:ea:8c:87:08:00 SRC=160.99.105.122 DST=255.255.255.255 LEN=276 TOS=0x00 PREC=0x00 TTL=128 ID=22157 PROTO=UDP SPT=68 DPT=67 LEN=256 I am trying do find out where is going my bandwith in 8 in the morning and firm starts working from 9:00. Thank you very much for quick reply Tom.
Tanovic Branko wrote:> Tom Eastep wrote: > >> >> > > The ethernet address with all bits on is the *broadcast address* -- note > that the IP address is also the broadcast address for network > 192.168.0.0/24. In other words, the above is perfectly normal broadcast > packet from 192.168.0.102 (00:0c:6e:31:82:2c). > > -Tom > > > > but how is posible to have brodcast 192.168.0.102 from net2fw zone >There is a computer in that broadcast domain configured with the ersatz IP address. For a long time, I had a similar address in my /etc/shorewall/blacklist file because some fool in the same broadcast domain had a system with that address connected to his DSL modem. I assume that you don''t do something silly like connect more than one firewall interface to the same hub/switch... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net