[opensuse] 224.0.0.1 filling firewall logs
for the last several days, my firewall logs have exploded with entries about 224.0.0.1 (about multi-cast ??) access from my router: Apr 5 00:57:48 wahoo kernel: [4531053.824463] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=01:00:5e:00:00:01:c0:c1:c0:b4:ea:1e:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 Apr 5 00:59:54 wahoo kernel: [4531179.825578] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=01:00:5e:00:00:01:c0:c1:c0:b4:ea:1e:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 Apr 5 01:02:00 wahoo kernel: [4531305.826723] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=01:00:5e:00:00:01:c0:c1:c0:b4:ea:1e:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 Apr 5 01:04:06 wahoo kernel: [4531431.827802] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=01:00:5e:00:00:01:c0:c1:c0:b4:ea:1e:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 I have not made any changes to this server recently. Why am I suddenly seeing these entries, and what do to about it? What I have tried from googling has not worked... iptables -A INPUT -s 224.0.0.1 -p tcp --dport 2 -j REJECT But on the surface this makes no sense as the origin/input is the router, 192.168.1.1, and the destination is 224.0.0.1 But what do I know ??? :^) *very* little tks, -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2013-04-06 at 11:04 -0400, Patrick Shanahan wrote:
But on the surface this makes no sense as the origin/input is the router, 192.168.1.1, and the destination is 224.0.0.1
But what do I know ??? :^) *very* little
It is a multicast, so you get it even if it is not your address. I see some hits googling for "DST=224.0.0.1". For example, here <http://www.karakas-online.de/forum/viewtopic.php?t=11302> it says: +++··································· Reason: You use one of those DSL router/firewall boxes that come with a DSL account (e.g. the Arcor Easy Box). The box sends multicast packets (the destination address 224.0.0.1 is a multicast address where all multicast-enabled devices are listening), practically asking for all multicast devices to report themselves. Especially Windows XP likes exchanging traffic from this address as it tries to get its IP autoconfiguration files (a kind of DHCP for IPv6). Arrow Solution: If you use SuSEfirewall2, open /etc/sysconfig/scripts/SuSEfirewall2-custom and find the function fw_custom_before_antispoofing(). Add the line: Code: iptables -A INPUT -j ACCEPT -d 224.0.0.0/24 or Code: iptables -A INPUT -j DROP -d 224.0.0.0/24 before the (line with the) "true" statement, depending on whether you want to accept or drop them (but don't add any logging options). Since the above rule will take care of the multicast packets before anything else, they will accepted or dropped without being logged - and you will be happy! Very Happy ···································++- <http://en.wikipedia.org/wiki/Internet_Group_Management_Protocol> Seems reasonable. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFgRjYACgkQtTMYHG2NR9V4jQCfQ4OO8pCsaegS3Sx91qqbtFwS JnoAn15+PNVJ5S4Xpw42/r8IYdApIw+W =6jNc -----END PGP SIGNATURE-----
* Carlos E. R. <robin.listas@telefonica.net> [04-06-13 12:00]:
On Saturday, 2013-04-06 at 11:04 -0400, Patrick Shanahan wrote:
But on the surface this makes no sense as the origin/input is the router, 192.168.1.1, and the destination is 224.0.0.1
But what do I know ??? :^) *very* little
It is a multicast, so you get it even if it is not your address. I see some hits googling for "DST=224.0.0.1". For example, here <http://www.karakas-online.de/forum/viewtopic.php?t=11302> it says:
+++··································· Reason: You use one of those DSL router/firewall boxes that come with a DSL account (e.g. the Arcor Easy Box). The box sends multicast packets (the destination address 224.0.0.1 is a multicast address where all multicast-enabled devices are listening), practically asking for all multicast devices to report themselves. Especially Windows XP likes exchanging traffic from this address as it tries to get its IP autoconfiguration files (a kind of DHCP for IPv6).
Arrow Solution: If you use SuSEfirewall2, open /etc/sysconfig/scripts/SuSEfirewall2-custom and find the function fw_custom_before_antispoofing(). Add the line:
Code:
iptables -A INPUT -j ACCEPT -d 224.0.0.0/24
or
Code:
iptables -A INPUT -j DROP -d 224.0.0.0/24
before the (line with the) "true" statement, depending on whether you want to accept or drop them (but don't add any logging options). Since the above rule will take care of the multicast packets before anything else, they will accepted or dropped without being logged - and you will be happy! Very Happy ···································++-
<http://en.wikipedia.org/wiki/Internet_Group_Management_Protocol>
Seems reasonable.
Agreed. And I am now a Very Happy camper. And educated :^) As vulnerabilities are possibility, also read on other sites, I opted for DROP tks muck, -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Carlos E. R. -
Patrick Shanahan