ipflog entries?

[Robert Marella]

Danny Pansters wrote:

>On Tuesday 05 April 2005 00:05, Robert Marella wrote:
>  
>
>>Greetings
>>
>>My daily mail on my firewall (5.3-rel-p4) has always shown many (>
>>10000)  blocks by my blocking rule
>>"block in quick on em0 from 10.0.0.0/8 to any". Obviously I'm using
>>ipf/ipnat.
>>
>>So, for education, today I enabled "log" for a short time on that rule.
>>Within a few minutes I logged over twenty
>>attempts from the same address. (Sample below, text attached)
>>
>>04/04/2005 11:33:41.034653 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
>>PR udp len 20 337 IN
>>04/04/2005 11:33:41.973120 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
>>PR udp len 20 344 IN
>>04/04/2005 11:33:57.532249 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
>>PR udp len 20 337 IN
>>04/04/2005 11:33:58.963415 em0 @0:3 b 10.96.0.1,67 -> 255.255.255.255,68
>>PR udp len 20 344 IN
>>
>>Ports 67 shows dhcps and 68 shows dhcpc in /etc/services.
>>
>>em0 is connected to my roadrunner cable modem. Is the cable modem doing
>>this or is someone spoofing this IP address?
>>
>>Sorry if this has been answered already but I'm kind of new to the
>>firewall stuff.
>>
>>Thank you for your time.
>>Robert
>>    
>>
>
>It's your cable provider insisting to send you bootps info (for broken windows 
>customers I reckon). Yech that's as if you're some network appliance :) Mine 
>does that too. I just drop/not log them. Whenever your dhclient needs to 
>renew a lease it will connect and if your firewall keeps state on that your 
>ISP's dhcp server has it's lucky moment because for once something may 
>connect back in. Both of you happy.
>
>HTH,
>
>Dan
>
>  
>
Thanks Dan.

I kinda thunk it was something like that. Just wanted someone such as 
yourself to confirm. The sheer number that was reported in the daily 
mail was what got me concerned. I was and am just dropping them. I only 
enabled the log for about 5 minutes.

Thanks again
Robert