From owner-freebsd-questions Sun Mar 25 18:28:30 2001 Delivered-To: freebsd-questions@freebsd.org Received: from freeze.org (www.stelesys.com [208.177.187.226]) by hub.freebsd.org (Postfix) with ESMTP id F414337B71D for ; Sun, 25 Mar 2001 18:28:23 -0800 (PST) (envelope-from jim@freeze.org) Received: (from jim@localhost) by freeze.org (8.11.3/8.11.2) id f2Q2SOh54334; Sun, 25 Mar 2001 21:28:24 -0500 (EST) (envelope-from jim) X-Authentication-Warning: www.stelesys.com: Processed from queue /var/spool/alt_queue X-Authentication-Warning: www.stelesys.com: Processed by jim with -C /web/siteinfo/freeze/mail/sendmail.cf Date: Sun, 25 Mar 2001 21:28:24 -0500 (EST) From: Jim Freeze X-X-Sender: To: Cc: "Andrew C. Hornback" , FreeBSD Questions Subject: Re: Meaging of Security Check? In-Reply-To: <20010325173549.E5425@rfx-216-196-73-168.users.reflex> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 25 Mar 2001, Crist J. Clark wrote: > On Sun, Mar 25, 2001 at 07:55:32PM -0500, Jim Freeze wrote: > > On Sun, 25 Mar 2001, Crist J. Clark wrote: > > > > > On Sat, Mar 24, 2001 at 11:43:32AM -0500, Andrew C. Hornback wrote: > > > > > -----Original Message----- > > > > > From: owner-freebsd-questions@FreeBSD.ORG > > > > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jim Freeze > > > > > Sent: Saturday, March 24, 2001 7:50 AM > > > > > To: questions@freebsd.org > > > > > Subject: Meaging of Security Check? > > > > > > > > > > > > > > > Hi: > > > > > > > > > > I received the following security check and was wondering what it means: > > > > > > > > > > eeyore1 security check output > > > > > > > > > > eeyore1 kernel log messages: > > > > > > x3f8-0x3ff irq 4 flags 0x10 on isa > > > > > > ipfw: 40 Accept TCP 157.95.47.65:776 24.9.218.175:22 in via vx0 > > > > > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0 > > > > > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0 > > > > > > ...where the above is repeated for about 100 lines > > > > > > > > > > I looked up port 67 in /etc/services and it says: > > > > > > > > > > bootps 67/tcp dhcps #Bootstrap Protocol Server > > > > > bootps 67/udp dhcps #Bootstrap Protocol Server > > > > > > > > > > nslookup says: > > > > > > > > > > % nslookup 24.2.7.70 > > > > > Server: proxy1.lxintn1.ky.home.com > > > > > Address: 24.5.116.15 > > > > > > > > > > Name: lh1.rdc1.tn.home.com > > > > > Address: 24.2.7.70 > > > > > > > > > > Can someone explain what is happening here? > > > > > > > > To my (semi)trained eye... you're subject to a new form of a DoS attack. > > > > > > [snip] > > > > > > Guys, guys. You're hurting me. > > > > > > It looks like Jim has broken his own DHCP setup. 24.9.218.175 looks > > > like the address of the machine generating these logs, correct? It is > > > blocking its own outgoing packets to lh1.rdc1.tn.home.com which is > > > your DHCP server, right? > > > > Hmmm.. My dns machines are 24.5.116.15 and 24.5.116.17. My ip has not > > changed (thankfully) and is still 24.9.218.175. > > DNS does not really have anything to do with this. Check, > > $ grep dhcp-server /var/db/dhclient.leases > > To see who your server is. This returns: % grep dhcp-server /var/db/dh client.leases option dhcp-server-identifier 24.2.7.70; option dhcp-server-identifier 24.2.7.70; > > You may also want to examine that file to see how far expired your > lease is. > I'm no expert at this, but the file is short. It looks like my lease time is 7 days. % cat /var/db/dhclient.leases lease { interface "vx0"; fixed-address 24.9.218.175; option subnet-mask 255.255.255.0; option routers 24.9.218.1; option domain-name-servers 24.5.116.17,24.5.116.15; option domain-name "lxintn1.ky.home.com"; option broadcast-address 24.9.218.255; option dhcp-lease-time 604800; option dhcp-message-type 5; option dhcp-server-identifier 24.2.7.70; renew 0 2001/3/18 20:20:24; rebind 3 2001/3/21 11:20:24; expire 4 2001/3/22 08:20:24; } lease { interface "vx0"; fixed-address 24.9.218.175; option subnet-mask 255.255.255.0; option routers 24.9.218.1; option domain-name-servers 24.5.116.15,24.5.116.17; option domain-name "lxintn1.ky.home.com"; option broadcast-address 24.9.218.255; option dhcp-lease-time 604800; option dhcp-message-type 5; option dhcp-server-identifier 24.2.7.70; renew 5 2001/3/23 16:45:14; rebind 1 2001/3/26 07:45:14; expire 2 2001/3/27 04:45:14; } > > > Your machine is trying to renew its lease. You probably want to pass > > > that traffic. > > > > What would the ipfw rule look like? > > > > ${fwcmd} add pass udp from any to ${dns1} 67 > > ${fwcmd} add pass udp from any to ${dns2} 67 > > ${fwcmd} add pass udp from any 68 to any 67 out via ${oif} > ${fwcmd} add pass udp from any 67 to any 68 in via ${oif} So, it is my machine that is prompting this traffic? Will opening this up cause my ip to change? So far it has been static. Thanks > > Should do it. Again, your DNS servers don't necessarily have anything > to do with this. DHCP does not need to know its server's address to > work. > -- > Crist J. Clark cjclark@alum.mit.edu > ========================================================= Jim Freeze jim@freeze.org --------------------------------------------------------- No comment at this time. http://www.freeze.org ========================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message