TOPIC: SUN firewall log entries

Hello,
I have the following in my firewall log, any ideas why I am getting these alerts ?

Jul 9 23:14:04 wall.rs.net gfw: [ID 702911 kern.info] securityalert: source not allowed on interface: UDP if=qfe2 srcaddr=0.0.0.0 srcport=68 dstaddr=255.255.255.255 dstport=67
Jul 9 23:19:27 wall.rs.net gfw: [ID 702911 kern.info] securityalert: source not allowed on interface: UDP if=qfe2 srcaddr=0.0.0.0 srcport=68 dstaddr=255.255.255.255 dstport=67

Berts,

The log entries show that there is a machine on your network that is sending a DHCP request in order to get an IP Address, this is causing your Sun firewall to produce the security alert.

Also, it seems like the machine sending the DHCP request is on the same physical network your 'qfe2' ethernet network card is connected. This should help you track down which machine it might be.

If your wondering how to read the information here is the answer:

- if=qfe2 Your network card receiving the DHCP request

- srcaddr=0.0.0.0 Perfectly normal. Any machine that sends a DHCP request has no IP address assigned at that point

- srcport=68 The mystery machine's source port, this value is exactly what you would expect to see in a DHCP request

- dstaddr=255.255.255.255 This indicates a broadcast, expected in a DHCP request

- dstport=67 The destination port of the above broadcast is port 67. This happens to be the same port a DHCP server listens on.

Hope that helps.

Cheers,

Hi,
Thank you, very much for that insight. Where would I look for to attain that type of knowledge, you just provided me.

Again, thk U..

To learn to understand the log entries you should build up on your knowledge of networking protocols.. something you can do at this site itself !

For example, Chris was able to look at the log entries, and he saw the source IP as 0.0.0.0, source port as 68 and the destination as a broadcast address with destination port 67. He knew that these are all DHCP protocol characteristics..

when the machine wants an ip address, it sends a broadcast (message to everyone) from its port 68 saying 'hey i need an ip', the destination port is 67 (which is what DHCP servers listen on)

Cheers,