The 03.01.09 at 22:10, ghugh Song wrote:
From while ago, I have been getting the following console message (also in /var/log/messages) almost everyday. When it happens, it shows on console in bursts.
Jan 9 21:58:29 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36934 PROTO=UDP SPT=68 DPT=67 LEN=556
First note that it is coming from your ethernet (local?) network, and that is doesn't have an IP: it is a broadcast. Then, notice the ports used, and look them up on "/etc/services": bootps 67/udp # Bootstrap Protocol Server bootpc 68/udp # Bootstrap Protocol Client You have a machine in your LAN with the above MAC (Ethernet addr) which is broadcasting a request to any dhcp server to give him an IP. If your linux machine is the dhcpd server, allow it on the firewall. Or do you have a DSL router conected to your ethernet port?
Jan 9 21:58:37 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36935 PROTO=UDP SPT=68 DPT=67 LEN=556
Same thing, some seconds later.
Jan 9 21:58:44 bellini kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:10:4b:c6:f4:46:00:06:52:4e:b1:8a:08:00 SRC=217.9.113.69 DST=18.62.3.197 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=36051 DF PROTO=TCP SPT=3179 DPT=25 WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A503A5E290000000001030300)
This a mail transfer attempt (smtp).
Jan 9 21:58:52 bellini kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:60:97:7f:8e:53:08:00 SRC=18.62.0.228 DST=18.62.0.0 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=8759 PROTO=UDP SPT=1955 DPT=111 LEN=108
111: SUN Remote Procedure Call
Jan 9 21:58:53 bellini kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:a6:46:b3:cd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=15 ID=36936 PROTO=UDP SPT=68 DPT=67 LEN=556
dhcp or bootstrap. Which is your IP number? I see you get at least tow packets destined for different IP's, and I don't know which one, if any, is yours.
What is going on? Is anybody from "SRC" site attacking my linux box or what?
From the above, I can't say, but I don't think so, it seems like normal trafic on an ethernet to me.
-- Cheers, Carlos Robinson