[Wylug-discuss] Another firewall problem

John Hodrien johnh at comp.leeds.ac.uk
Thu Sep 27 15:48:20 BST 2007


On Thu, 27 Sep 2007, Roger Beaumont wrote:

> Peter Bingham wrote:
>> A quick look at the port names listed shows this to be bootp/dhcp
>> requests (from a quick google which found
>> http://www.linklogger.com/UDP67_68.htm )
>> 
>> I don't know how your ISP organizes things; mine uses 10.x.x.x subnets
>> between the endpoint and the internet for some reason; you may be seeing
>> another machine in the area requesting an address as it's done via
>> broadcast (and not getting one, hence the repeats).
>
> Thanks for that Peter.  In that case, it seems that stopping logging requests 
> from 10.0.0.0/8 would the solution.
>
> Thanks again,

I think I'd filter differently.  Crud not meant for you that you're picking up
is being sent to the broadcast address (255.255.255.255).  I'd just DROP any
traffic that's not already been accepted for other reasons that's sent to
broadcast.

Otherwise the hacker that shares an ISP doesn't appear in your logs...

jh

-- 
"I have installed ubuntu 7.04, because I am crap with linux and need
  something simple."                                  -- Anon.



More information about the Wylug-discuss mailing list