# firewall floods syslogs

## sulu

Hi.

I have a firewall script running which is quite restrictive with the udp protocol. Everything seems to work fine but me logs are flooded with:

Jun 21 06:08:54 andy-linux kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:94:05:be:54:08:00 SRC=192.168.99.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=21782 PROTO=UDP SPT=67 DPT=68 LEN=308

An new entry is added roughly every second.

The service producing those messages seems to be BOOTP-server on port 67 which tries to send some udp-stuff to BOOTP client on port 68.

bootps          67/tcp                          # BOOTP server

bootps          67/udp

bootpc          68/tcp                          # BOOTP client

bootpc          68/udp

I'm using a cable-modem connected to eth0.

I did some googeling but could not figure out what this dialog is used for.

So my questions are:

- What is this ?

- Who is the sender? (the cable modem ?)

- Receiver seems to be eth0 (interface to the outer world)

- Which services may be affected by this drops ?

- Do i have to modify the firewall script ?

Thanks

Sulu

----------

## klieber

 *sulu wrote:*   

> - What is this ?

 

It's device 192.168.99.1 broadcasting a BOOTP request to the network.  Not sure what device has IP 192.168.99.1, but hopefully you know.  :Smile: 

 *sulu wrote:*   

> - Who is the sender? (the cable modem ?)

 

see above.

 *sulu wrote:*   

> - Receiver seems to be eth0 (interface to the outer world)

 

receiver is actually any device on that same network.  (probably 192.168.99.X) 

 *sulu wrote:*   

> - Which services may be affected by this drops ?

 

bootp

 *sulu wrote:*   

> - Do i have to modify the firewall script ?

 

it sounds like everything is working for you other than your log files getting filled up with cruft, so no.  You can probably reduce the log entries quite a bit by decreasing the log level.  Check the [url=http://netfilter.samba.org/]netfilter home page[/quote] for more information on that, or google for "iptables log level".

--kurt

----------

## sulu

Thanks Kurt.

I'm curious what bootp whants to know so badly that that it sends a request every second.

Before screwing down the log-level i need to know what bootp really does. 

Is this something related to the boot of the network? 

I know, i know ... i should/will do some serious googeling.

cya

Sulu

----------

## sulu

After googeling.

Ok. This belongs to dhcp.

Could it be that the dhcpd whants to broadcast the IP into the internal network?

Anyway, it doesnt looks dangerous. 

Greetz

Sulu

----------

## klieber

bootp is a simpler, less-capable version of dhcp.  Not sure why you're getting a bootp request once per second, but my guess is some device on your network is requesting one.  What is 192.168.99.1?  Your machine?  The cable modem?

--kurt

----------

## sulu

Hi Kurt.

Thats what i'm trying to figure out.

I cant find it in ifconfig ore route -n (see below).

I have a Win-NT box in the local net, maybe it fells lonesome.

No. It must be the cable modem.

Just plugged it off.

.....

Silence

.....

=> This strange IP: 192.168.99.1 is the cable modem itself.

So the culprit is identified. It tells me every second what ip ist uses.

Is this common practise ?

It would be interesting to dump the content of the udp-package.

cya

Sulu

----------

## klieber

What kind of cable modem are you using?  It's odd that it seems to want to ack itself to the world (or at least to your network) every 1 second.  bootp isn't supposed to be all that chatty -- the client should be doing the requesting, not the server.

Anyway, you might try contacting your ISP.  If you wade through enough of the clueless tier 1 support people, you might actually get to someone who knows why your modem insists on sending out all that crap.  (as you can tell, I've never had good luck with ISP support folks.  :Smile: )

Or, you can set the --log-level in your firewall script to not log that stuff.  (again, see the netfilter page for more info)

--kurt

----------

## delta407

You could install Ethereal (a packet sniffer), shut off iptables temporarily, capture a few packets, and re-enable it. Ethereal would then dissect the packets to tell you exactly what your cable modem is saying.

----------

## sulu

@klieber

Strange thing is'nt it. But its definitely the cable modem. Pulling cable out.. => no packet drops => no log flooding. 

I have a rather short --limit 2/s on iptables. But as i understand its establishes an upper limit of maximum two log entries per second. Means i have a rather talkative device, but it works very well.

*shrug* I'll contact the ISP-guys. Maybe i find one knowing his job.

@delta407

Neat tip..javascript:emoticon(%27%3Aroll%3A%27)

I'll try to catch some of the packets. 

Maybe that tells me something.

..................

btw:

Im getting suspicious about my ISP.

No one can ssh into my box.

I can ssh to the box of my friends easily.

Didnt want to post this issue because it's so instructive doing it the hard way by (RTFM, /etc/-screwing, googeling...)

But what do you think about :

eth0      Link encap:Ethernet  HWaddr 00:04:76:E6:99:B5

          inet addr:194.208.121.197  Bcast:255.255.255.255  Mask:255.255.254.0

I initialize my eth0 via dhcp from my ISP.

This is a c-class network but the Mask = 255.255.254.0 ????

Do you think that's correct ??

Could that inhibit ssh-connections to my box ?

------------------------------------------------

Thanks a lot.

This is a great forum !

cya

Sulu

----------

## delta407

If it is a class C subnet, that is the wrong netmask. But, with CNIDR addressing, this would be possible (i.e. it would be the 194.208.120.0/23 netblock).

A wrong netmask wouldn't prevent SSH connections, it would just break routing, so the fact that you can talk to anything means it's probably correct. Your firewall might be doing that or it's possible your ISP won't let you be a "server" (meaning they won't let you accept incoming TCP connections). Try moving it to a different port (should be an option in /etc/sshd/ somewhere) and see what happens.

----------

## klieber

 *sulu wrote:*   

> I have a rather short --limit 2/s on iptables. But as i understand its establishes an upper limit of maximum two log entries per second. Means i have a rather talkative device, but it works very well.

 

You *should* be able to define logging levels on a per rule basis.  So, create a specific rule that drops packets from your cable modem on the bootp ports and then set the --log-level to the appropriate number, or even better, set up a custom log in syslog.conf that logs to /dev/null.

All that crap in your logs isn't just an annoyance, it makes finding the real stuff that much harder.

--kurt

----------

## delta407

 *klieber wrote:*   

> All that crap in your logs isn't just an annoyance, it makes finding the real stuff that much harder.

 

That is, unless you read your logs with "grep -v MAC\=ff:ff:ff:ff:ff:00:30:94:05:be:54:08:00"... which you don't, so nevermind.  :Smile: 

----------

## sulu

@delta407

I think that my ISP won't let my play server. I dont think its the fierwall because i've explicitely opened port 22.

@klieber

I'll adapt the iptables-ruleset for the cable modem.

A special for this event will be apropriate.

btw: With ethereal i found out that ist sends an DHCP offer every second. 

Thanks a lot guys.

I'll have an engaged conversation with my ISP.

----------

