On Fri, 2003-08-29 at 00:32, Andrew Robinson wrote: > Iain Buchanan wrote: > > >On Thu, 2003-08-28 at 11:38, Andrew Robinson wrote: > > > >>I'm getting many instances of these messages: > >> > >>Aug 25 15:28:46 orpheus kernel: SPOOFED-IP: IN=eth0 OUT= MAC= > >[snip] > > > >Were you worried about the words "SPOOFED-IP"? It looks like > >"SPOOFED-IP" might just be the --log-prefix you assigned to log > >messages. Correct me if I'm wrong :) > > > Yeah, "SPOOFED-IP" seemed to indicate something wrong. How do I check to > see if it is the log prefix? Have a look in /etc/sysconfig/iptables for --log-prefix. You can have different log prefixes on each rule if you wish, or the same one for all. A packet is usually logged just before its dropped, but not always. "SPOOFED-IP" is an unusual prefix. I make my prefixes reflect what I'm actually doing with a packet, for example "eth0 Drop". > >I'm not quite sure what to address here... > > > Unfortunately, neither do I, which is why the question was so nebulous. > The message seems to indicate a problem. I just don't know what or how > serious. What info can I provide to help? Basically the message is just telling you that a packet has been logged! Thats not much use unless you happen to know that after packets are logged, they're also dropped/rejected. If you analyse the info, you will notice the packet is broadcast from 192.168.123.19, which you said is orpheus, to 192.168.123.255, ie everyone on 192.168.123, including orpheus. Broadcasts are (should be) received by everyone, including the sender, so your firewall picks up the packet, and goes through the rules until it finds one that matches this packet (and logs it), and most likely another one that drops it. (The default could also be to drop, so there isn't necessarily an explicit rule to drop this packet). Theres nothing to worry about here. This is usual behaviour if your firewall drops everything by default, and then only accepts a few ports. As I mentioned, this packet is coming in on port 138, which is a windows networking / smb port, so it could just be smbd browsing for other machines in your 'workgroup'. Because of the large number of windows machines on my network at work, I don't even log packets on ports 137-139, and 445. I just drop them straight away. > >btw, nice hostname: > > > Mine's named after the Mardi Gras parade krewe. Where did you get your > name? ;) After the mythical (Greek) 'musician' who "by his songs moved stones and trees, holding also a spell over the wild beasts." He went to the underwold to retrieve his dead loved one, and sung the two headed hell hound/guard dog Cerberos to sleep. Hades was even persuaded, so he let them return, on the condition that Eurydice would follow and Orpheus would not look back till they were home, or he would lose her forever. He couldn't resist though, and just before they arrived he had to turn over his shoulder, where he saw Eurydice, before she was taken back... -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
