Re: IP fw-in deny (?)

To: debian-firewall@lists.debian.org
Subject: Re: IP fw-in deny (?)
From: Paul Tod Rieger <prie@abl.com>
Date: Thu, 22 Apr 1999 20:00:00 -0400
Message-id: <[🔎] 371FB800.96BE2C4E@abl.com>
References: <[🔎] Pine.GUL.4.10.9904221557370.26257-100000@coho.halcyon.com>

Mark Rafn wrote:

> On Thu, 22 Apr 1999, John Kramer wrote:
> > eth0 is your internal lan, right?  Or is eth1 connected to your lan?
> 
> This confused me too.  If the message says it's an input rule from eth0,
> it doesn't seem likely that the packet came in on eth1.  But if it's
> 192.168.4.1 (his eth1 address), it seems unlikely that it came from eth0.

Just to be clearer, the typical message looks like:

kernel: IP fw-in deny eth0 UDP 192.168.4.1:68 255.255.255.255:67 L=328
S=0x00 I=53838 F=0x0000 T=128

eth0 is the NIC to my cable modem.

192.168.4.1 is the NIC to my LAN (eth1) -- whether it's also something
else, I don't know.

> The only thing that catches my eye is the 192.168.4.1 - where did this
> number come from?  Does the PC sending the DHCP request just make it up
> and hope it's not used on your internal network?

Other machines on the cable-modem network should be set up with static
IPs.  Maybe it's a cable modem -- theirs or mine -- booting up.

> > There's not much you can do about your neighbor except ignore him/her.
> 
> Sure there is - you can serve her up an IP number by running your own DHCP
> server.

Ooooooo, my own VPN!  :-)

Robert de Forest added:

> > Your neighbors don't notice anything wrong, but you can snoop 'em
> > at will.
> 
> If your cable modem is as simple as a hub you could probably snoop people's
> traffic without assigning them an IP. I think this is something a lot of
> people are going to be unaware of, and it's going to be a big security
> hole.

Yep, on these networks about the only thing "safe" from snooping is SSL
transactions.  If I type in a password without SSL (the case with most
"free e-mail" services, I believe), a neighbor could see it.  They can
even read this message -- and your replies.

tcpdump on eth0 revealed some bootp traffic:

19:42:29.171807 191.191.191.1.bootps > 255.255.255.255.bootpc:
xid:0x78f679f6 [|bootp]
19:42:29.181807 192.168.0.1.bootps > 255.255.255.255.bootpc:
xid:0x78f679f6 S:192.168.0.1 [|bootp]
19:42:29.191807 209.187.161.75.bootps > 255.255.255.255.bootpc:
xid:0x78f679f6 S:209.187.161.75 [|bootp]

So maybe that is the source.

Thanks!

Tod

Reply to:

Follow-Ups:
- Re: IP fw-in deny (?)
  - From: Manel Marin <uni00771@pc-internet.com>
- Re: IP fw-in deny (web-enabled monitor?)
  - From: Paul Tod Rieger <prie@abl.com>

References:
- Re: IP fw-in deny (?)
  - From: Mark Rafn <dagon@halcyon.com>

Prev by Date: Re: IP fw-in deny (?)
Next by Date: Re: IP fw-in deny (?)
Previous by thread: Re: IP fw-in deny (?)
Next by thread: Re: IP fw-in deny (?)
Index(es):
- Date
- Thread