Skip to main content

SUN firewall log entries

More
21 years 5 months ago #142 by berts
Hello,
I have the following in my firewall log, any ideas why I am getting these alerts ?

Jul 9 23:14:04 wall.rs.net gfw: [ID 702911 kern.info] securityalert: source not allowed on interface: UDP if=qfe2 srcaddr=0.0.0.0 srcport=68 dstaddr=255.255.255.255 dstport=67
Jul 9 23:19:27 wall.rs.net gfw: [ID 702911 kern.info] securityalert: source not allowed on interface: UDP if=qfe2 srcaddr=0.0.0.0 srcport=68 dstaddr=255.255.255.255 dstport=67
More
21 years 5 months ago #143 by Chris
Replied by Chris on topic SUN firewall log entries
Berts,

The log entries show that there is a machine on your network that is sending a DHCP request in order to get an IP Address, this is causing your Sun firewall to produce the security alert.

Also, it seems like the machine sending the DHCP request is on the same physical network your 'qfe2' ethernet network card is connected. This should help you track down which machine it might be.

If your wondering how to read the information here is the answer:

- if=qfe2 Your network card receiving the DHCP request

- srcaddr=0.0.0.0 Perfectly normal. Any machine that sends a DHCP request has no IP address assigned at that point

- srcport=68 The mystery machine's source port, this value is exactly what you would expect to see in a DHCP request

- dstaddr=255.255.255.255 This indicates a broadcast, expected in a DHCP request

- dstport=67 The destination port of the above broadcast is port 67. This happens to be the same port a DHCP server listens on.

Hope that helps.

Cheers,

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
21 years 5 months ago #144 by berts
Replied by berts on topic SUN firewall log entries
Hi,
Thank you, very much for that insight. Where would I look for to attain that type of knowledge, you just provided me.

Again, thk U..
More
21 years 2 months ago #852 by sahirh
Replied by sahirh on topic Re: SUN firewall log entries
To learn to understand the log entries you should build up on your knowledge of networking protocols.. something you can do at this site itself !

For example, Chris was able to look at the log entries, and he saw the source IP as 0.0.0.0, source port as 68 and the destination as a broadcast address with destination port 67. He knew that these are all DHCP protocol characteristics..

when the machine wants an ip address, it sends a broadcast (message to everyone) from its port 68 saying 'hey i need an ip', the destination port is 67 (which is what DHCP servers listen on)

Cheers,

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.132 seconds