-----Original Message----- From: plug-discuss-admin@lists.plug.phoenix.az.us [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of David Demland Sent: Friday, July 21, 2000 10:38 PM To: PLUG Discuss Subject: Firewall Questions I have now got a big part of my log file problems taken care of, I hope. Since I was getting many DENY from just a few common IP I spent time trying to see what was in common so I could remove so many logs from these IPs. This is what I found: 1. - There were four common IPs: 200.*.*.*, 24.*.*.*, 169.*.*.*, and 10.*.*.*. All four of these had one thing in common, the return IP. This was 255.255.255.255. I thought that the return IP was nothing more than a mask. So I added a deny line for each IP that look like: ipchains -A input -j DENY -s 200.0.0.0/8 -d 255.255.255.255 - eth1 This has seemed to removed so many entries in my log file. Could this be a problem later on? 2. - Now that I have been able to "clean up" my log file I have been able to see the following in the log: Jul 20 18:25:21 localhost kernel: Packet log: input DENY eth1 PROTO=17 24.1.224.10:121 24.1.231.255:121 L=50 S=0x00 I=46385 F=0x0000 T=30 (#39) In this case the source IP and the destination IP seem to be valid. Any ideas on what I should do? I know that these IPs are on the Cox network so does this mean that Cox is checking on something or someone on the Cox network is looking for something? 3. - There are now a couple of IPs that have the return IP of 255.255.255.255 that I did not notice before. Should I do the same with each of these IPs or not? --- Much of what you are seeing is a DHCP request... 169.174.10.xxx broadcasting the entire subnet (255.255.255.255) - casting about to be assigned an ip address by a DHCP server. It's excessive on Cox wants to assign ip addresses on a fairly short lease - even though their system is virtually a fixed ip address. if you aren't running any servers (ftp/www/inbound mail etc), then block everything and don't log anything and you are pretty much done. I have gone to logging little on Cox@home/Cox@work connections since so much goes on and the log grows like wildfire. source addresses of 10.0.x.x, 192.168.x.x are typical of either a stupid setup (many can be found on Cox's shared bandwidth) or blatant attempts to stuff IP addresses and gain unauthorized access to poorly setup networks. if you intend to discern the logged packet rejection activity, you will need a list of port #'s/services so you can comprehend what's going on. Your example lists port # 121 which I am not familiar with but some ports the intent is obvious... Craig