Shorewall users - Jul 2004 - Many rfc1918 logs

Hi,

I have many-many of this messages in logs ( 1 of that every minute ):

Jul  4 10:27:28 localhost kernel: Shorewall:rfc1918:DROP:IN=ppp0 OUT= MAC=
SRC=192.168.100.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=1818 PROTO=2

It''s normal that ?

This is my interface file:

modem   eth0    10.0.0.255   dhcp
net     ppp0    -            tcpflags,blacklist,norfc1918,routefilter,nosmurfs
loc     eth1    192.168.2.255


This is my zones file:

modem   Modem           ADSL Modem
net     Net             Internet
loc     Local           Local networks


I have an ADSL PPTP Modem.

Thanks

Salvatore wrote:
> 
> Hi,
> 
> I have many-many of this messages in logs ( 1 of that every minute ):
> 
> Jul  4 10:27:28 localhost kernel: Shorewall:rfc1918:DROP:IN=ppp0 OUT= MAC=
SRC=192.168.100.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=1818 PROTO=2
> 
> It''s normal that ?
> 
> This is my interface file:
> 
> modem   eth0    10.0.0.255   dhcp
> net     ppp0    -           
tcpflags,blacklist,norfc1918,routefilter,nosmurfs
> loc     eth1    192.168.2.255
> 
> This is my zones file:
> 
> modem   Modem           ADSL Modem
> net     Net             Internet
> loc     Local           Local networks
> 
> I have an ADSL PPTP Modem.
> 
> Thanks
Most likely your modem is spewing out multicast messages. Insert a new
rule in the RFC1918 file:

#SUBNET                 TARGET
192.168.100.1           DROP

*above* the line with:

192.168.0.0/16          logdrop         # RFC 1918

..since this last rule is the one that is causing the logging. Just
restart shorewall. You can try and access your modem with a web browser,
using its own ip, and see if there are any configuration options you may
want to disable/enable, while you''re at it..



-- 
Patrick Benson
Stockholm, Sweden

----- Original Message ----- 
From: "Patrick Benson" <benson@chello.se>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Sunday, July 04, 2004 3:01 PM
Subject: Re: [Shorewall-users] Many rfc1918 logs

> Salvatore wrote:
> >
> > Hi,
> >
> > I have many-many of this messages in logs ( 1 of that every minute ):
> >
> > Jul  4 10:27:28 localhost kernel: Shorewall:rfc1918:DROP:IN=ppp0
OUTMAC= SRC=192.168.100.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=1818
PROTO=2
> >
> > It''s normal that ?
> >
> > This is my interface file:
> >
> > modem   eth0    10.0.0.255   dhcp
> > net     ppp0    -
tcpflags,blacklist,norfc1918,routefilter,nosmurfs
> > loc     eth1    192.168.2.255
> >
> > This is my zones file:
> >
> > modem   Modem           ADSL Modem
> > net     Net             Internet
> > loc     Local           Local networks
> >
> > I have an ADSL PPTP Modem.
> >
> > Thanks
>
> Most likely your modem is spewing out multicast messages. Insert a new
> rule in the RFC1918 file:
>
> #SUBNET                 TARGET
> 192.168.100.1           DROP
>
> *above* the line with:
>
> 192.168.0.0/16          logdrop         # RFC 1918
>
> ..since this last rule is the one that is causing the logging. Just
> restart shorewall. You can try and access your modem with a web browser,
> using its own ip, and see if there are any configuration options you may
> want to disable/enable, while you''re at it..
Hi,
I tried to modify rfc1918 file too, modifyng:

192.168.0.0/16          logdrop            # RFC 1918

with:

192.168.0.0/16          DROP            # RFC 1918

So now I no longer had that messages.

But I am curios to know what is that traffic and if it''s correct
to drop it.

Thanks

Salvatore wrote:
> 
> ----- Original Message -----
> From: "Patrick Benson" <benson@chello.se>
> To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
> Sent: Sunday, July 04, 2004 3:01 PM
> Subject: Re: [Shorewall-users] Many rfc1918 logs
> > Most likely your modem is spewing out multicast messages. Insert a new
> > rule in the RFC1918 file:
> >
> > #SUBNET                 TARGET
> > 192.168.100.1           DROP
> >
> > *above* the line with:
> >
> > 192.168.0.0/16          logdrop         # RFC 1918
> >
> > ..since this last rule is the one that is causing the logging. Just
> > restart shorewall. You can try and access your modem with a web
browser,
> > using its own ip, and see if there are any configuration options you
may
> > want to disable/enable, while you''re at it..
> 
> Hi,
> I tried to modify rfc1918 file too, modifyng:
> 
> 192.168.0.0/16          logdrop            # RFC 1918
> 
> with:
> 
> 192.168.0.0/16          DROP            # RFC 1918
> 
> So now I no longer had that messages.
> 
> But I am curios to know what is that traffic and if it''s correct
> to drop it.
You can find find plenty of information at:

http://www.completewhois.com/bogons/

The reason why I suggested that you insert a new rule can be found on
the front page. Since you probably know by now that your modem is the
cause behind all of those logging messages it''s better to just hide
them, by inserting the DROP bit for 192.168.100.1. But there may be
other traffic on your network trying to get in to your system(s), which
may be useful for you to know by seeing them logged first and then
getting dropped. By dropping the whole 192.168.0.0./16 segment from
being logged may be keeping you from seeing suspicious traffic coming
your way...
 

-- 
Patrick Benson
Stockholm, Sweden