Re: IP fw-in deny (?)
Mark Rafn wrote:
> On Thu, 22 Apr 1999, John Kramer wrote:
> > eth0 is your internal lan, right? Or is eth1 connected to your lan?
>
> This confused me too. If the message says it's an input rule from eth0,
> it doesn't seem likely that the packet came in on eth1. But if it's
> 192.168.4.1 (his eth1 address), it seems unlikely that it came from eth0.
Just to be clearer, the typical message looks like:
kernel: IP fw-in deny eth0 UDP 192.168.4.1:68 255.255.255.255:67 L=328
S=0x00 I=53838 F=0x0000 T=128
eth0 is the NIC to my cable modem.
192.168.4.1 is the NIC to my LAN (eth1) -- whether it's also something
else, I don't know.
> The only thing that catches my eye is the 192.168.4.1 - where did this
> number come from? Does the PC sending the DHCP request just make it up
> and hope it's not used on your internal network?
Other machines on the cable-modem network should be set up with static
IPs. Maybe it's a cable modem -- theirs or mine -- booting up.
> > There's not much you can do about your neighbor except ignore him/her.
>
> Sure there is - you can serve her up an IP number by running your own DHCP
> server.
Ooooooo, my own VPN! :-)
Robert de Forest added:
> > Your neighbors don't notice anything wrong, but you can snoop 'em
> > at will.
>
> If your cable modem is as simple as a hub you could probably snoop people's
> traffic without assigning them an IP. I think this is something a lot of
> people are going to be unaware of, and it's going to be a big security
> hole.
Yep, on these networks about the only thing "safe" from snooping is SSL
transactions. If I type in a password without SSL (the case with most
"free e-mail" services, I believe), a neighbor could see it. They can
even read this message -- and your replies.
tcpdump on eth0 revealed some bootp traffic:
19:42:29.171807 191.191.191.1.bootps > 255.255.255.255.bootpc:
xid:0x78f679f6 [|bootp]
19:42:29.181807 192.168.0.1.bootps > 255.255.255.255.bootpc:
xid:0x78f679f6 S:192.168.0.1 [|bootp]
19:42:29.191807 209.187.161.75.bootps > 255.255.255.255.bootpc:
xid:0x78f679f6 S:209.187.161.75 [|bootp]
So maybe that is the source.
Thanks!
Tod
Reply to: