[opensuse] SFW2-INext-DROP-DEFLT IN=eth0
In my dmesg I have a lot of message lines which all start with and have all the same content. Googling gave me discussions since 2004 but no real solution. The only info somewhere was that it is: Multicast DNS, if you don't need it, disable it edit your /etc/host.conf and set mdns off For the time being I have disabled mdns but would like to find some background information. Do I need Multicast? Why does this message creeps into Linux since 2004? Whatis SFW2? Something that drops does not sound good. What drops? Somebody with answers? One of the complete lines I find the dmesg full with is: [60253.528099] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=5e:61:19:e7:2a:36:00:25:86:cf:8d:ae:08:00 SRC=64.41.4.144 DST=192.168.1.101 LEN=54 TOS=0x00 PREC=0x00 TTL=113 ID=6668 PROTO=UDP SPT=27896 DPT=1620 LEN=34 -- Linux User 183145 using LXDE and KDE4 on a Pentium IV , powered by openSUSE 11.4 (i586) Kernel: 3.0.0-rc4-2-desktop LXDE WM & KDE Development Platform: 4.6.4 (4.6.4) 11:16am up 17:01, 3 users, load average: 0.46, 0.36, 0.82 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 06/27/2011 11:18 AM, Constant Brouerius van Nidek wrote:
For the time being I have disabled mdns but would like to find some background information. Do I need Multicast? Why does this message creeps into Linux since 2004? Whatis SFW2? Something that drops does not sound good. What drops?
SFW2= SuSEFirewall2, frontend to iptables A packet that shouldn't connect to your network SHOULD be dropped
One of the complete lines I find the dmesg full with is:
[60253.528099] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=5e:61:19:e7:2a:36:00:25:86:cf:8d:ae:08:00 SRC=64.41.4.144 DST=192.168.1.101 LEN=54 TOS=0x00 PREC=0x00 TTL=113 ID=6668 PROTO=UDP SPT=27896 DPT=1620 LEN=34
64.41.4.144 is trying to reach you (192.168.1.101) on port 1620 which is according to /etc/services is faxportwinport Hope this helps you to understand your situation better now Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2011-06-27 at 16:18 +0700, Constant Brouerius van Nidek wrote:
In my dmesg I have a lot of message lines which all start with and have all the same content. Googling gave me discussions since 2004 but no real solution. The only info somewhere was that it is:
Multicast DNS, if you don't need it, disable it edit your /etc/host.conf and set mdns off
For the time being I have disabled mdns but would like to find some background information. Do I need Multicast? Why does this message creeps into Linux since 2004? Whatis SFW2? Something that drops does not sound good. What drops?
SFW2 is the SuSE Firewall 2. A ;'drop' here means an incoming package has been dropped, instead of being replied to. It's the prupose of the firewall, and you generally have two ways of answering to an 'intruder': - Tell him you do not serve this port - Ignore the package and let the 'intruder' timeout, waiting for an answer.
Somebody with answers?
One of the complete lines I find the dmesg full with is:
[60253.528099] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=5e:61:19:e7:2a:36:00:25:86:cf:8d:ae:08:00 SRC=64.41.4.144 DST=192.168.1.101 LEN=54 TOS=0x00 PREC=0x00 TTL=113 ID=6668 PROTO=UDP SPT=27896 DPT=1620 LEN=34
This does not actually look like a multicst. Some host (64.41.4.144) tried to access your internal machine (192.168.1.101) on port 1620. This means that on your border gateway, you do have NAT/PAT enabled and apparently do forwaed a package from external to this port. So it might be intentional. OR it might be a program using UPnP to reconfigure your border gateway, having the port forwarded to you (bittorrent clients use to do that). So you'd have to evaluate if this is traffic you do want on your machine. If it is, then you should probably allow this specific port in your suse firewall. Best regards, Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday, June 27, 2011 04:46:41 PM Dimstar / Dominique Leuenberger wrote:
On Mon, 2011-06-27 at 16:18 +0700, Constant Brouerius van Nidek wrote:
In my dmesg I have a lot of message lines which all start with and have all the same content. Googling gave me discussions since 2004 but no real solution.
The only info somewhere was that it is: Multicast DNS, if you don't need it, disable it edit
your /etc/host.conf and set mdns off
For the time being I have disabled mdns but would like to find some background information. Do I need Multicast? Why does this message creeps into Linux since 2004? Whatis SFW2? Something that drops does not sound good. What drops?
SFW2 is the SuSE Firewall 2. A ;'drop' here means an incoming package has been dropped, instead of being replied to.
It's the purpose of the firewall, and you generally have two ways of answering to an 'intruder': - Tell him you do not serve this port - Ignore the package and let the 'intruder' timeout, waiting for an answer.
Somebody with answers?
One of the complete lines I find the dmesg full with is:
[60253.528099] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=5e:61:19:e7:2a:36:00:25:86:cf:8d:ae:08:00 SRC=64.41.4.144 DST=192.168.1.101 LEN=54 TOS=0x00 PREC=0x00 TTL=113 ID=6668 PROTO=UDP SPT=27896 DPT=1620 LEN=34
This does not actually look like a Multicast. Some host (64.41.4.144) tried to access your internal machine (192.168.1.101) on port 1620.
This means that on your border gateway, you do have NAT/PAT enabled and apparently do forwarded a package from external to this port. So it might be intentional. OR it might be a program using UPnP to reconfigure your border gateway, having the port forwarded to you (bittorrent clients use to do that).
So you'd have to evaluate if this is traffic you do want on your machine. If it is, then you should probably allow this specific port in your suse firewall.
Best regards, Dominique
Thanks Dominique and Togan. Everything is much clearer and I begin to understand some of the information contained in the messages. It is a good start for advance a intensive study of the mechanism of DEFLT -- Linux User 183145 using LXDE and KDE4 on a Pentium IV , powered by openSUSE 11.4 (i586) Kernel: 3.0.0-rc4-2-desktop LXDE WM & KDE Development Platform: 4.6.4 (4.6.4) 12:52pm up 1 day 0:25, 1 user, load average: 0.36, 0.41, 0.24 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 2011-06-28 at 12:57 +0700, Constant Brouerius van Nidek wrote:
SFW2-INext-DROP-DEFLT
Don't interpret too much into those letters: SWF2 => Suse Firewall 2 INext => INbound traffic, on the external interface DROP => Package has been dropped (could be rejected) DEFLT => Default rules Few letters trying to give you as much information as possible. Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Constant Brouerius van Nidek -
Dimstar / Dominique Leuenberger -
Togan Muftuoglu