Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: SUN firewall log entries

SUN firewall log entries 13 years 2 months ago #142

  • berts
  • berts's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Hello,
I have the following in my firewall log, any ideas why I am getting these alerts ?

Jul 9 23:14:04 wall.rs.net gfw: [ID 702911 kern.info] securityalert: source not allowed on interface: UDP if=qfe2 srcaddr=0.0.0.0 srcport=68 dstaddr=255.255.255.255 dstport=67
Jul 9 23:19:27 wall.rs.net gfw: [ID 702911 kern.info] securityalert: source not allowed on interface: UDP if=qfe2 srcaddr=0.0.0.0 srcport=68 dstaddr=255.255.255.255 dstport=67
The administrator has disabled public write access.

SUN firewall log entries 13 years 2 months ago #143

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
Berts,

The log entries show that there is a machine on your network that is sending a DHCP request in order to get an IP Address, this is causing your Sun firewall to produce the security alert.

Also, it seems like the machine sending the DHCP request is on the same physical network your 'qfe2' ethernet network card is connected. This should help you track down which machine it might be.

If your wondering how to read the information here is the answer:

- if=qfe2 Your network card receiving the DHCP request

- srcaddr=0.0.0.0 Perfectly normal. Any machine that sends a DHCP request has no IP address assigned at that point

- srcport=68 The mystery machine's source port, this value is exactly what you would expect to see in a DHCP request

- dstaddr=255.255.255.255 This indicates a broadcast, expected in a DHCP request

- dstport=67 The destination port of the above broadcast is port 67. This happens to be the same port a DHCP server listens on.

Hope that helps.

Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

SUN firewall log entries 13 years 2 months ago #144

  • berts
  • berts's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Hi,
Thank you, very much for that insight. Where would I look for to attain that type of knowledge, you just provided me.

Again, thk U..
The administrator has disabled public write access.

Re: SUN firewall log entries 12 years 11 months ago #852

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
To learn to understand the log entries you should build up on your knowledge of networking protocols.. something you can do at this site itself !

For example, Chris was able to look at the log entries, and he saw the source IP as 0.0.0.0, source port as 68 and the destination as a broadcast address with destination port 67. He knew that these are all DHCP protocol characteristics..

when the machine wants an ip address, it sends a broadcast (message to everyone) from its port 68 saying 'hey i need an ip', the destination port is 67 (which is what DHCP servers listen on)

Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.
Time to create page: 0.079 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup