SuSE-FW-ILLEGAL-TARGET IN=eth0
Hi, Since I activated my firewall and the apache server in my computer I am always having this message in my log files: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:01:30:26:89:00:08:00 SRC=10.120.7.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=19038 PROTO=2 First, what does it mean and second how could I get rid of it. thanks Jose
* Jose Sanchez (joseos@okstate.edu) [030614 14:21]: ->Hi, -> ->Since I activated my firewall and the apache server in my computer I am ->always having this message in my log files: -> ->SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= ->MAC=01:00:5e:00:00:01:00:01:30:26:89:00:08:00 SRC=10.120.7.254 ->DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=19038 PROTO=2 -> ->First, what does it mean and second how could I get rid of it. It means your firewall is working and that someone tried to access a port on your system that they were not suppose to access. You can't get rid of it unless you'd like the firewall to stop logging attempts to get past it. It's for your information. It's a simple log entry. -- The IQ and the life expectancy of the average American recently passed each other going in the opposite direction. ---===---===---===--- mailto:ben@whack.org
On Sat, Jun 14, 2003 at 02:30:23PM -0700, Ben Rosenberg wrote:
* Jose Sanchez (joseos@okstate.edu) [030614 14:21]: ->Hi, -> ->Since I activated my firewall and the apache server in my computer I am ->always having this message in my log files: -> ->SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= ->MAC=01:00:5e:00:00:01:00:01:30:26:89:00:08:00 SRC=10.120.7.254 ->DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=19038 PROTO=2 ^^^^^^^^^^^^^ This looks like a multicast network address
-> ->First, what does it mean and second how could I get rid of it.
It means your firewall is working and that someone tried to access a port on your system that they were not suppose to access.
Well, not necessarily. Usually, Solaris uses 224.0.0.1 net for NTP So it might be some Solaris system on Jose's network trying to talk to an NTP server. (Though I might be wrong) -Kastus
On Sun, 2003-06-15 at 00:29, Kastus wrote:
Well, not necessarily. Usually, Solaris uses 224.0.0.1 net for NTP
The official multicast IP for NTP is 224.0.1.1
So it might be some Solaris system on Jose's network trying to talk to an NTP server.
Would they really be using IGMP though?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 14 June 2003 18:21, Jose Sanchez wrote:
Hi,
Since I activated my firewall and the apache server in my computer I am always having this message in my log files:
SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:01:30:26:89:00:08:00 SRC=10.120.7.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=19038 PROTO=2
First, what does it mean and second how could I get rid of it.
thanks
Jose
This is a standard operation for the IP(Internet Protocol).
This particular packet is encapsulated within the IGMP(Internet Gateway
Management Protocol) protocol. Verified by the "PROTO=2" designation. This
information can be found in the RFC Editor website. Particularly at:
http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=1112&type=ftp&file_format=txt
Pulling the RFC 1112, we can then search for the destination IP string -
"DST=224.0.0.1". Which then shows us:
Thanks to all, you always learn something new with this things. Again thanks. Jose Thomas Jones wrote:
On Saturday 14 June 2003 18:21, Jose Sanchez wrote:
Hi,
Since I activated my firewall and the apache server in my computer I am always having this message in my log files:
SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:01:30:26:89:00:08:00 SRC=10.120.7.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=19038 PROTO=2
First, what does it mean and second how could I get rid of it.
thanks
Jose
This is a standard operation for the IP(Internet Protocol).
This particular packet is encapsulated within the IGMP(Internet Gateway Management Protocol) protocol. Verified by the "PROTO=2" designation. This information can be found in the RFC Editor website. Particularly at:
http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=1112&type=ftp&file_format=txt
Pulling the RFC 1112, we can then search for the destination IP string - "DST=224.0.0.1". Which then shows us:
The IP module must also be extended to implement the IGMP protocol, specified in Appendix I. IGMP is used to keep neighboring multicast routers informed of the host group memberships present on a particular local network. To support IGMP, every level 2 host must join the "all-hosts" group (address 224.0.0.1) on each network interface at initialization time and must remain a member for as long as the host is active. </snip> In essence, your computer is simply performing normal multi-casting functions. Not to worry. Just disable logging for this function as Ben has already stated.
Good Luck!
participants (5)
-
Anders Johansson -
Ben Rosenberg -
Jose Sanchez -
Kastus -
Thomas Jones