From owner-freebsd-questions Sun Mar 25 15:16:50 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 1955937B719 for ; Sun, 25 Mar 2001 15:16:48 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 25 Mar 2001 15:14:40 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.3/8.11.1) id f2PNGhp10112; Sun, 25 Mar 2001 15:16:43 -0800 (PST) (envelope-from cjc) Date: Sun, 25 Mar 2001 15:16:42 -0800 From: "Crist J. Clark" To: "Andrew C. Hornback" Cc: Jim Freeze , FreeBSD Questions Subject: Re: Meaging of Security Check? Message-ID: <20010325151642.C5425@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <003b01c0b481$8ff5b7c0$0e00000a@tomcat> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <003b01c0b481$8ff5b7c0$0e00000a@tomcat>; from hornback@wireco.net on Sat, Mar 24, 2001 at 11:43:32AM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Mar 24, 2001 at 11:43:32AM -0500, Andrew C. Hornback wrote: > > -----Original Message----- > > From: owner-freebsd-questions@FreeBSD.ORG > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jim Freeze > > Sent: Saturday, March 24, 2001 7:50 AM > > To: questions@freebsd.org > > Subject: Meaging of Security Check? > > > > > > Hi: > > > > I received the following security check and was wondering what it means: > > > > eeyore1 security check output > > > > eeyore1 kernel log messages: > > > x3f8-0x3ff irq 4 flags 0x10 on isa > > > ipfw: 40 Accept TCP 157.95.47.65:776 24.9.218.175:22 in via vx0 > > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0 > > > ipfw: 65000 Deny UDP 24.9.218.175:68 24.2.7.70:67 out via vx0 > > > ...where the above is repeated for about 100 lines > > > > I looked up port 67 in /etc/services and it says: > > > > bootps 67/tcp dhcps #Bootstrap Protocol Server > > bootps 67/udp dhcps #Bootstrap Protocol Server > > > > nslookup says: > > > > % nslookup 24.2.7.70 > > Server: proxy1.lxintn1.ky.home.com > > Address: 24.5.116.15 > > > > Name: lh1.rdc1.tn.home.com > > Address: 24.2.7.70 > > > > Can someone explain what is happening here? > > To my (semi)trained eye... you're subject to a new form of a DoS attack. [snip] Guys, guys. You're hurting me. It looks like Jim has broken his own DHCP setup. 24.9.218.175 looks like the address of the machine generating these logs, correct? It is blocking its own outgoing packets to lh1.rdc1.tn.home.com which is your DHCP server, right? Your machine is trying to renew its lease. You probably want to pass that traffic. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message