Date: Sun, 25 Mar 2001 21:28:24 -0500 (EST) From: Jim Freeze <jim@freeze.org> To: <cjclark@alum.mit.edu> Cc: "Andrew C. Hornback" <hornback@wireco.net>, FreeBSD Questions <questions@FreeBSD.ORG> Subject: Re: Meaging of Security Check? Message-ID: <Pine.BSF.4.32.0103252119090.44160-100000@www.stelesys.com> In-Reply-To: <20010325173549.E5425@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 25 Mar 2001, Crist J. Clark wrote:
> On Sun, Mar 25, 2001 at 07:55:32PM -0500, Jim Freeze wrote:
> > On Sun, 25 Mar 2001, Crist J. Clark wrote:
> >
> > > On Sat, Mar 24, 2001 at 11:43:32AM -0500, Andrew C. Hornback wrote:
> > > > > -----Original Message-----
> > > > > From: owner-freebsd-questions@FreeBSD.ORG
> > > > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jim Freeze
> > > > > Sent: Saturday, March 24, 2001 7:50 AM
> > > > > To: questions@freebsd.org
> > > > > Subject: Meaging of Security Check?
> > > > >
> > > > >
> > > > > Hi:
> > > > >
> > > > > I received the following security check and was wondering what it means:
> > > > >
> > > > > eeyore1 security check output
> > > > >
> > > > > eeyore1 kernel log messages:
> > > > > > x3f8-0x3ff irq 4 flags 0x10 on isa
> > > > > > ipfw: 40 Accept TCP 157.95.47.65:776 24.9.218.175:22 in via vx0
> > > > > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0
> > > > > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0
> > > > > > ...where the above is repeated for about 100 lines
> > > > >
> > > > > I looked up port 67 in /etc/services and it says:
> > > > >
> > > > > bootps 67/tcp dhcps #Bootstrap Protocol Server
> > > > > bootps 67/udp dhcps #Bootstrap Protocol Server
> > > > >
> > > > > nslookup says:
> > > > >
> > > > > % nslookup 24.2.7.70
> > > > > Server: proxy1.lxintn1.ky.home.com
> > > > > Address: 24.5.116.15
> > > > >
> > > > > Name: lh1.rdc1.tn.home.com
> > > > > Address: 24.2.7.70
> > > > >
> > > > > Can someone explain what is happening here?
> > > >
> > > > To my (semi)trained eye... you're subject to a new form of a DoS attack.
> > >
> > > [snip]
> > >
> > > Guys, guys. You're hurting me.
> > >
> > > It looks like Jim has broken his own DHCP setup. 24.9.218.175 looks
> > > like the address of the machine generating these logs, correct? It is
> > > blocking its own outgoing packets to lh1.rdc1.tn.home.com which is
> > > your DHCP server, right?
> >
> > Hmmm.. My dns machines are 24.5.116.15 and 24.5.116.17. My ip has not
> > changed (thankfully) and is still 24.9.218.175.
>
> DNS does not really have anything to do with this. Check,
>
> $ grep dhcp-server /var/db/dhclient.leases
>
> To see who your server is.
This returns:
% grep dhcp-server /var/db/dh
client.leases
option dhcp-server-identifier 24.2.7.70;
option dhcp-server-identifier 24.2.7.70;
>
> You may also want to examine that file to see how far expired your
> lease is.
>
I'm no expert at this, but the file is short.
It looks like my lease time is 7 days.
% cat /var/db/dhclient.leases
lease {
interface "vx0";
fixed-address 24.9.218.175;
option subnet-mask 255.255.255.0;
option routers 24.9.218.1;
option domain-name-servers 24.5.116.17,24.5.116.15;
option domain-name "lxintn1.ky.home.com";
option broadcast-address 24.9.218.255;
option dhcp-lease-time 604800;
option dhcp-message-type 5;
option dhcp-server-identifier 24.2.7.70;
renew 0 2001/3/18 20:20:24;
rebind 3 2001/3/21 11:20:24;
expire 4 2001/3/22 08:20:24;
}
lease {
interface "vx0";
fixed-address 24.9.218.175;
option subnet-mask 255.255.255.0;
option routers 24.9.218.1;
option domain-name-servers 24.5.116.15,24.5.116.17;
option domain-name "lxintn1.ky.home.com";
option broadcast-address 24.9.218.255;
option dhcp-lease-time 604800;
option dhcp-message-type 5;
option dhcp-server-identifier 24.2.7.70;
renew 5 2001/3/23 16:45:14;
rebind 1 2001/3/26 07:45:14;
expire 2 2001/3/27 04:45:14;
}
> > > Your machine is trying to renew its lease. You probably want to pass
> > > that traffic.
> >
> > What would the ipfw rule look like?
> >
> > ${fwcmd} add pass udp from any to ${dns1} 67
> > ${fwcmd} add pass udp from any to ${dns2} 67
>
> ${fwcmd} add pass udp from any 68 to any 67 out via ${oif}
> ${fwcmd} add pass udp from any 67 to any 68 in via ${oif}
So, it is my machine that is prompting this traffic?
Will opening this up cause my ip to change? So far it has been static.
Thanks
>
> Should do it. Again, your DNS servers don't necessarily have anything
> to do with this. DHCP does not need to know its server's address to
> work.
> --
> Crist J. Clark cjclark@alum.mit.edu
>
=========================================================
Jim Freeze
jim@freeze.org
---------------------------------------------------------
No comment at this time.
http://www.freeze.org
=========================================================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.32.0103252119090.44160-100000>