This is a multi-part message in MIME format.

------=_NextPart_000_0000_01BFF401.D81A2540
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

David,
255.255.255.255 is a broadcast.
Joe
  -----Original Message-----
  From: plug-discuss-admin@lists.PLUG.phoenix.az.us
[mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of David
Demland
  Sent: Friday, July 21, 2000 10:38 PM
  To: PLUG Discuss
  Subject: Firewall Questions


  I have now got a big part of my log file problems taken care of, I hope.
Since I was getting many DENY from just a few common IP I spent time trying
to see what was in common so I could remove so many logs from these IPs.
This is what I found:

  1. - There were four common IPs: 200.*.*.*, 24.*.*.*, 169.*.*.*, and
10.*.*.*. All four of these had one thing in common, the return IP. This was
255.255.255.255. I thought that the return IP was nothing more than a mask.
So I added a deny line for each IP that look like:

      ipchains -A input -j DENY -s 200.0.0.0/8 -d 255.255.255.255 - eth1

  This has seemed to removed so many entries in my log file. Could this be a
problem later on?

  2. - Now that I have been able to "clean up" my log file I have been able
to see the following in the log:

  Jul 20 18:25:21 localhost kernel: Packet log: input DENY eth1 PROTO=17
24.1.224.10:121 24.1.231.255:121 L=50 S=0x00 I=46385 F=0x0000 T=30 (#39)

  In this case the source IP and the destination IP seem to be valid. Any
ideas on what I should do? I know that these IPs are on the Cox network so
does this mean that Cox is checking on something or someone on the Cox
network is looking for something?



  3. - There are now a couple of IPs that have the return IP of
255.255.255.255 that I did not notice before. Should I do the same with each
of these IPs or not?



  Thank You,



  David Demland


------=_NextPart_000_0000_01BFF401.D81A2540
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3103.1700" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D600582400-23072000>David,</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D600582400-23072000>255.255.255.255 is a =
broadcast.</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D600582400-23072000>Joe</SPAN></FONT></DIV>
<BLOCKQUOTE=20
style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: =
0px; PADDING-LEFT: 5px">
  <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT =
face=3DTahoma=20
  size=3D2>-----Original Message-----<BR><B>From:</B>=20
  plug-discuss-admin@lists.PLUG.phoenix.az.us=20
  [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]<B>On Behalf Of =
</B>David=20
  Demland<BR><B>Sent:</B> Friday, July 21, 2000 10:38 PM<BR><B>To:</B> =
PLUG=20
  Discuss<BR><B>Subject:</B> Firewall Questions<BR><BR></DIV></FONT>
  <DIV><FONT face=3DArial size=3D2>I have now got a big part of my log =
file problems=20
  taken care of, I hope. Since I was getting many DENY from just a few =
common IP=20
  I spent time trying to see what was in common so I could remove so =
many logs=20
  from these IPs. This is what I found:</FONT></DIV>
  <DIV>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>1. - There were four common IPs: =
200.*.*.*,=20
  24.*.*.*, 169.*.*.*, and 10.*.*.*. All four of these had one thing in =
common,=20
  the return IP. This was 255.255.255.255. I thought that the return IP =
was=20
  nothing more than a mask. So I added a deny line for each IP that look =

  like:</FONT></DIV>
  <DIV>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp; ipchains -A input =
-j DENY -s=20
  200.0.0.0/8 -d 255.255.255.255 - eth1</FONT></DIV>
  <DIV>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>This has seemed to removed so many =
entries in my=20
  log file. Could this be a problem later on?</FONT></DIV>
  <DIV>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>2. - Now that I have been able to =
"clean up" my=20
  log file I have been able to see the following in the =
log:</FONT></DIV>
  <DIV>&nbsp;</DIV>
  <DIV><FONT size=3D2>
  <P>Jul 20 18:25:21 localhost kernel: Packet log: input DENY eth1 =
PROTO=3D17=20
  24.1.224.10:121 24.1.231.255:121 L=3D50 S=3D0x00 I=3D46385 F=3D0x0000 =
T=3D30 (#39)=20
  <BR><BR><FONT face=3DArial>In this case the source IP and the =
destination IP=20
  seem to be valid. Any ideas on what I should do? I know that these IPs =
are on=20
  the Cox network so does this mean that Cox is checking on something or =
someone=20
  on the Cox network is looking for something?</FONT></P>
  <P>&nbsp;</P>
  <P><FONT face=3DArial>3. - There are now a couple of IPs that have the =
return IP=20
  of 255.255.255.255 that I did not notice before. Should I do the same =
with=20
  each of these IPs or not?</FONT></P>
  <P>&nbsp;</P>
  <P><FONT face=3DArial>Thank You,</FONT></P>
  <P>&nbsp;</P>
  <P><FONT face=3DArial>David=20
Demland</FONT></P></FONT></DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0000_01BFF401.D81A2540--