Date: Sun, 25 Mar 2001 21:28:24 -0500 (EST) From: Jim Freeze <jim@freeze.org> To: <cjclark@alum.mit.edu> Cc: "Andrew C. Hornback" <hornback@wireco.net>, FreeBSD Questions <questions@FreeBSD.ORG> Subject: Re: Meaging of Security Check? Message-ID: <Pine.BSF.4.32.0103252119090.44160-100000@www.stelesys.com> In-Reply-To: <20010325173549.E5425@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 25 Mar 2001, Crist J. Clark wrote: > On Sun, Mar 25, 2001 at 07:55:32PM -0500, Jim Freeze wrote: > > On Sun, 25 Mar 2001, Crist J. Clark wrote: > > > > > On Sat, Mar 24, 2001 at 11:43:32AM -0500, Andrew C. Hornback wrote: > > > > > -----Original Message----- > > > > > From: owner-freebsd-questions@FreeBSD.ORG > > > > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jim Freeze > > > > > Sent: Saturday, March 24, 2001 7:50 AM > > > > > To: questions@freebsd.org > > > > > Subject: Meaging of Security Check? > > > > > > > > > > > > > > > Hi: > > > > > > > > > > I received the following security check and was wondering what it means: > > > > > > > > > > eeyore1 security check output > > > > > > > > > > eeyore1 kernel log messages: > > > > > > x3f8-0x3ff irq 4 flags 0x10 on isa > > > > > > ipfw: 40 Accept TCP 157.95.47.65:776 24.9.218.175:22 in via vx0 > > > > > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0 > > > > > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0 > > > > > > ...where the above is repeated for about 100 lines > > > > > > > > > > I looked up port 67 in /etc/services and it says: > > > > > > > > > > bootps 67/tcp dhcps #Bootstrap Protocol Server > > > > > bootps 67/udp dhcps #Bootstrap Protocol Server > > > > > > > > > > nslookup says: > > > > > > > > > > % nslookup 24.2.7.70 > > > > > Server: proxy1.lxintn1.ky.home.com > > > > > Address: 24.5.116.15 > > > > > > > > > > Name: lh1.rdc1.tn.home.com > > > > > Address: 24.2.7.70 > > > > > > > > > > Can someone explain what is happening here? > > > > > > > > To my (semi)trained eye... you're subject to a new form of a DoS attack. > > > > > > [snip] > > > > > > Guys, guys. You're hurting me. > > > > > > It looks like Jim has broken his own DHCP setup. 24.9.218.175 looks > > > like the address of the machine generating these logs, correct? It is > > > blocking its own outgoing packets to lh1.rdc1.tn.home.com which is > > > your DHCP server, right? > > > > Hmmm.. My dns machines are 24.5.116.15 and 24.5.116.17. My ip has not > > changed (thankfully) and is still 24.9.218.175. > > DNS does not really have anything to do with this. Check, > > $ grep dhcp-server /var/db/dhclient.leases > > To see who your server is. This returns: % grep dhcp-server /var/db/dh client.leases option dhcp-server-identifier 24.2.7.70; option dhcp-server-identifier 24.2.7.70; > > You may also want to examine that file to see how far expired your > lease is. > I'm no expert at this, but the file is short. It looks like my lease time is 7 days. % cat /var/db/dhclient.leases lease { interface "vx0"; fixed-address 24.9.218.175; option subnet-mask 255.255.255.0; option routers 24.9.218.1; option domain-name-servers 24.5.116.17,24.5.116.15; option domain-name "lxintn1.ky.home.com"; option broadcast-address 24.9.218.255; option dhcp-lease-time 604800; option dhcp-message-type 5; option dhcp-server-identifier 24.2.7.70; renew 0 2001/3/18 20:20:24; rebind 3 2001/3/21 11:20:24; expire 4 2001/3/22 08:20:24; } lease { interface "vx0"; fixed-address 24.9.218.175; option subnet-mask 255.255.255.0; option routers 24.9.218.1; option domain-name-servers 24.5.116.15,24.5.116.17; option domain-name "lxintn1.ky.home.com"; option broadcast-address 24.9.218.255; option dhcp-lease-time 604800; option dhcp-message-type 5; option dhcp-server-identifier 24.2.7.70; renew 5 2001/3/23 16:45:14; rebind 1 2001/3/26 07:45:14; expire 2 2001/3/27 04:45:14; } > > > Your machine is trying to renew its lease. You probably want to pass > > > that traffic. > > > > What would the ipfw rule look like? > > > > ${fwcmd} add pass udp from any to ${dns1} 67 > > ${fwcmd} add pass udp from any to ${dns2} 67 > > ${fwcmd} add pass udp from any 68 to any 67 out via ${oif} > ${fwcmd} add pass udp from any 67 to any 68 in via ${oif} So, it is my machine that is prompting this traffic? Will opening this up cause my ip to change? So far it has been static. Thanks > > Should do it. Again, your DNS servers don't necessarily have anything > to do with this. DHCP does not need to know its server's address to > work. > -- > Crist J. Clark cjclark@alum.mit.edu > ========================================================= Jim Freeze jim@freeze.org --------------------------------------------------------- No comment at this time. http://www.freeze.org ========================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.32.0103252119090.44160-100000>