input DENY eth0 PROTO=2 aaa.bbb.ccc.ddd:65535 239.255.255.250:65535 input DENY eth0 PROTO=2 aaa.bbb.ccc.eee:65535 224.0.0.1:65535

The traffic in the first case comes from one of the Windows machines on my LAN. The traffic in the second case comes from the DSL Router.

What do these mean? Is this traffic harmless, and if so, how do I prevent logging of this traffic?

Mostly harmless, yes. These boxes try to talk multicast-wise and broadcast to multicast addresses. The DSL-router is actually the offender here: The packet to the address 224.0.0.1 (the first multicast address) seems to be a multicast membership query, most likely once per minute. The packets from the doze boxes could be replies to them, and if you have any multicast tools on the windows boxes, you should be able to query all groups that are currently announced. I just wonder why the dozes use this address range because it's actually reserved for locally maintained multicast scopes. You don't happen to run a multicast tunnel over that DSL router, don't you? If you can, log on to the router and disable multicasting completely. Depending on the rules you have set in your box, the packets are most likely a fallthrough through your chains, in other words, everything that isn't matched in some rule finally gets logged. Get rid of the messages using ipchains -I input -d 224.0.0.0/4 -p igmp -j DENY

Thanks much. -- Eric

Also thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -