On Sat, 6 Apr 2002, Alan Hadsell wrote:
AH> Erwin Lam writes:
AH>
AH> > Well,... I am not an expert in this matter and I don't understand it
AH> > either, but could you please post that log entry so we can have a look
AH> > at it.
AH>
AH> OK, finally back at home where I can get to my logs.
AH>
AH> Here's a log entry from this morning:
AH> ,----
AH> | Apr 6 07:50:33 wally kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth1 OUT= MAC= SRC=64.85.299.299 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=308
AH> `----
AH>
AH> Interestingly, the source address (which I have mangled in the message
AH> above, BTW) is actually *my* IP address, and that's consistent with
AH> the source port (bootpc) and the destination port (bootps). IOW, it
AH> looks like it's the request from my DHCP client that's being trapped.
AH>
AH> What I can't figure out is how this message is winding up in the INPUT
AH> table, which is where the anti-spoofing rules are.
Is eth1 the interface to the outside world or to you internal network?
--
Erwin Lam (erwin.lam@gmx.net)