From: Robert Nichols <rnicholsNOSPAM@comcast.net>
To: netfilter@vger.kernel.org
Subject: Re: Log flooded with these...
Date: Mon, 20 Oct 2008 01:22:38 -0500 [thread overview]
Message-ID: <gdh83f$fmn$1@ger.gmane.org> (raw)
In-Reply-To: <48FB64CD.6070205@libertytrek.org>
Simon wrote:
> On 10/19/2008, Simon (tanstaafl@libertytrek.org) wrote:
>> Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
>> MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:69:16:89:08:00 SRC=0.0.0.0
>> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=46967
>> PROTO=UDP SPT=68 DPT=67 LEN=308
>> Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
>> MAC=ff:ff:ff:ff:ff:ff:00:04:5a:8f:d6:11:08:00 SRC=192.168.1.250
>> DST=255.255.255.255 LEN=347 TOS=0x00 PREC=0x00 TTL=128 ID=55784
>> PROTO=UDP SPT=67 DPT=68 LEN=327
>> Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
>> MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:69:16:89:08:00 SRC=0.0.0.0
>> DST=255.255.255.255 LEN=360 TOS=0x00 PREC=0x00 TTL=128 ID=46968
>> PROTO=UDP SPT=68 DPT=67 LEN=340
>
> Help! I'm not an iptables guy... at a minimum, is there a way to just
> tell iptables to stop logging these (silently drop)? I'll continue to
> troubleshoot, if there is a problem, but this is making my logs
> virtually (not totally, but almost) useless...
>
> Also, I guess it would be good to have the reverse command handy - how
> to turn this off and on, so I can test if the problem persists...
All of those groups of 3 packets look like normal DHCP broadcast packets
by machines that do not yet have an IP address assigned. Looking at the
above packets, the first is probably a DHCPDISCOVER sent from MAC address
00:1c:c0:69:16:89 (a device made by Intel, Malasia), the second would
be the DHCPOFFER sent by your Windows domain controller at IP address
192.168.1.250 and relayed through a Linksys router with MAC address
00:04:5a:8f:d6:11, and the third a DHCPREQUEST sent from the same
device that sent the first packet.
It all looks normal apart from the sudden increase in frequency. Are
machines on your network having trouble getting an IP address assigned
from your domain controller? Note that these are NOT lease renewals --
renewals do not use broadcast packets.
You can filter these out of the log quite easily by adding a
"--dst ! 255.255.255.255" matcher to the LOG rule so that broadcast
packets do not get logged.
-A INPUT --dst ! 255.255.255.255 -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
prev parent reply other threads:[~2008-10-20 6:22 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-19 15:18 Log flooded with these Simon
2008-10-19 15:53 ` Simon
[not found] ` <78e398b30810190903i610b64e3l56fa51402e607cc6@mail.gmail.com>
2008-10-19 16:42 ` Simon
2008-10-19 16:48 ` Simon
2008-10-19 18:27 ` Simon
2008-10-20 6:22 ` Robert Nichols [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='gdh83f$fmn$1@ger.gmane.org' \
--to=rnicholsnospam@comcast.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.